Re: [Puppet Users] Making intermediate certificate

2021-07-06 Thread Justin Stoller 
Hello!

I don't have a favorite tutorial for making the certificate, but for steps
two and three that you mentioned you should be able to run `puppetserver ca
import` to help import your certs and get them to the correct location on
disk.

HTH,
Justin

On Fri, Jul 2, 2021 at 12:11 PM Jarod Schoen 
wrote:

>
> Hi all, Does anyone here have a special favorite tutorial on generating an
> intermediate certificate in a domain environment?
>
> I know I need to generate the root cert on our domain CA (Windows Server).
> And then I need to import that to puppet server and concatenate.
> Then I need to put this intermediate contatenated cert in the puppet
> server certs directory.
>
> But I'm scared I'm going to break other certs on our domain CA server...
>
> Thanks
> Jarod
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/34cadb86-094e-4ee5-991e-4a588f189396n%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqUAoyDYc1CNTWdJfMzLuVAkcNjZ48PrKVcZXw_hsHEdzQ%40mail.gmail.com.

Re: [Puppet Users] Newbie wants to know your favourite distro for Puppet Server

2021-06-15 Thread Justin Stoller 
On Tue, Jun 15, 2021 at 9:40 AM Jarod Schoen 
wrote:

> Hi all,
> I've been practicing getting Puppet Server (Master) up and running on a
> whole variety of distros. CentOS, Ubuntu, Debian... and the more
> instructions I read, the more its impossible to understand how Puppet works
> and should be installed.
>
> I swear, every single time I try to implement this, I try new instructions
> and get various results. Last year, I could get it up and running with 1
> Windows agent and pushed VLC. Can't get back to that level of functionality
> anymore...
>

That's terrible, I hope if our docs (or software) are part of the problem
you let us know!

>
> What is the #1 best distro for puppet server and
> do you know any great instructions for installing the latest Puppet
> Server/Agents v7
>
> I typically install it on Redhat 7 because that's what the majority of
customers use, however I think Redhat/CentOS 8, and our builds from
http://yum.puppet.com/puppet-release-el-8.noarch.rpm will treat you better.

HTH,
Justin

CentOS (or best distro) - with all Windows agents. No Linux agents required
> right now. I'm just trying to automate system installs on Windows.
>
>
> Thank you,
> Jarod
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/bf43a363-c32c-46aa-8439-aee4367430aan%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqXmaNOF0477e6WB8mTSWOttpSwG%2BXoEyXxkeeamYd1zbQ%40mail.gmail.com.

Re: [Puppet Users] Puppetserver ca migrate

2021-03-11 Thread Justin Stoller 
On Sat, Mar 6, 2021 at 3:18 AM Bart-Jan Vrielink 
wrote:

> /etc/puppetlabs/puppetserver/ca is not a volume listed in the
> docker-compose file. Unless that directory is symlinked to somewhere under 
> /etc/puppetlabs/puppet/,
> that directory would get lost whenever the container gets updated. Not a
> good thing for certificates...
>

Yeah, that sounds terrible  I took that to the team that owns our
docker images. They seemed swamped but suggested a path forward, so I gave
it a shot in this PR: https://github.com/puppetlabs/puppetserver/pull/2505.
Feel free to contribute to the approach there if you want, otherwise I'll
reply to this thread when it's sorted out.



> -Original message-----
> *From:* Justin Stoller 
> *Sent:* Friday 5th March 2021 20:35
> *To:* puppet-users@googlegroups.com
> *Subject:* Re: [Puppet Users] Puppetserver ca migrate
>
>
>
> On Thu, Mar 4, 2021 at 11:44 PM Bart-Jan Vrielink 
> wrote:
>
>> Hello,
>>
>>
>> It would be nice if Puppet's Pupperware is also updated for this new CA
>> location...
>>
>
> Is it not? I don't actually work on that team, but I pulled the latest
> puppet/puppetserver image and saw this in the log:
>  pupperware (master<>) :: docker run -it puppet/puppetserver
>
> Running /docker-entrypoint.d/10-analytics.sh
>
> (/docker-entrypoint.d/10-analytics.sh) Pupperware analytics disabled;
> skipping metric submission
> Running /docker-entrypoint.d/20-use-templates-initially.sh
>
> Upgrading /opt/puppetlabs/server/data/puppetserver/vendored-jruby-gems
> Running /docker-entrypoint.d/30-set-permissions.sh
> Running /docker-entrypoint.d/40-update-puppetdb-conf.sh
> Running /docker-entrypoint.d/50-set-certname.sh
> Running /docker-entrypoint.d/55-set-masterport.sh
> Running /docker-entrypoint.d/60-setup-autosign.sh
> Running /docker-entrypoint.d/70-set-dns-alt-names.sh
> Running /docker-entrypoint.d/80-ca.sh
> Generation succeeded. Find your files in /etc/puppetlabs/puppetserver/ca
> Running /docker-entrypoint.d/85-setup-storeconfigs.sh
> Running /docker-entrypoint.d/90-log-config.sh
> System configuration values:
> 
>
> That "Generation succeeded. Find your files in
> /etc/puppetlabs/puppetserver/ca" line should be coming from the
> "puppetserver ca" cli generating the CA files in the new location
>
>
>>
>>
>> -Original message-
>> *From:* Justin Stoller 
>> *Sent:* Thursday 4th March 2021 18:11
>> *To:* puppet-users@googlegroups.com
>> *Subject:* Re: [Puppet Users] Puppetserver ca migrate
>>
>> Hi!
>>
>> If you've mounted external volumes for your cadir like:
>>
>>   --mount source=ca-volume,destination=/etc/puppetlabs/puppet/ssl/ca
>>
>> You should instead mount the destination as
>> /etc/puppetlabs/puppetserver/ca
>>
>> If you have a Dockerfile that pre-populates your cadir you'll need to
>> update your script to the destination above.
>>
>> Also, make sure your build process is running puppetserver ca setup as
>> part of the process (that should ensure new installs have the right
>> directory structure).
>>
>> If you're using this container as a lightweight vm and you've upgraded
>> your server inside it, you'll need to somehow override the entrypoint to be
>> a shell for you to work in (but you should look into using the container as
>> an ephemeral thing with persistent mounts to save data between containers).
>>
>> If you're using this in a dev setup and are fine with your certs not
>> persisting outside the life of the container you can effectively ignore the
>> warning for now (but hopefully one of the ideas above will help you find
>> the root cause of it).
>>
>>
>> Also, you're the second person to mention having to pass the --config
>> flag. That should only be necessary if you have a custom puppet.conf for
>> some advanced purposes. I'm wondering if it was the help output to the CA
>> tool that led you in that direction? I could see the current text being
>> confusing, just wondering if we should change:
>>
>> > Use the currently configured puppet.conf file in your installation, or
>> supply one using the `--config` flag.
>>
>> to something like
>>
>> > Uses the default puppet.conf in your installation, override by
>> supplying the --config flag.
>>
>> ?
>>
>>
>> Hope that helps,
>> Justin
>>
>>
>>
>>
>> On Thu, Mar 4, 2021 at 8:05 AM Gwen Clayde  wrote:
>>
>>> Hi,
>>>
>>> I want to solve this issue " The cadir is currently configured to b

Re: [Puppet Users] Puppetserver ca migrate

2021-03-05 Thread Justin Stoller 
On Thu, Mar 4, 2021 at 11:44 PM Bart-Jan Vrielink 
wrote:

> Hello,
>
>
> It would be nice if Puppet's Pupperware is also updated for this new CA
> location...
>

Is it not? I don't actually work on that team, but I pulled the latest
puppet/puppetserver image and saw this in the log:
 pupperware (master<>) :: docker run -it puppet/puppetserver

Running /docker-entrypoint.d/10-analytics.sh

(/docker-entrypoint.d/10-analytics.sh) Pupperware analytics disabled;
skipping metric submission
Running /docker-entrypoint.d/20-use-templates-initially.sh

Upgrading /opt/puppetlabs/server/data/puppetserver/vendored-jruby-gems
Running /docker-entrypoint.d/30-set-permissions.sh
Running /docker-entrypoint.d/40-update-puppetdb-conf.sh
Running /docker-entrypoint.d/50-set-certname.sh
Running /docker-entrypoint.d/55-set-masterport.sh
Running /docker-entrypoint.d/60-setup-autosign.sh
Running /docker-entrypoint.d/70-set-dns-alt-names.sh
Running /docker-entrypoint.d/80-ca.sh
Generation succeeded. Find your files in /etc/puppetlabs/puppetserver/ca
Running /docker-entrypoint.d/85-setup-storeconfigs.sh
Running /docker-entrypoint.d/90-log-config.sh
System configuration values:


That "Generation succeeded. Find your files in
/etc/puppetlabs/puppetserver/ca" line should be coming from the
"puppetserver ca" cli generating the CA files in the new location


>
> -Original message-
> *From:* Justin Stoller 
> *Sent:* Thursday 4th March 2021 18:11
> *To:* puppet-users@googlegroups.com
> *Subject:* Re: [Puppet Users] Puppetserver ca migrate
>
> Hi!
>
> If you've mounted external volumes for your cadir like:
>
>   --mount source=ca-volume,destination=/etc/puppetlabs/puppet/ssl/ca
>
> You should instead mount the destination as
> /etc/puppetlabs/puppetserver/ca
>
> If you have a Dockerfile that pre-populates your cadir you'll need to
> update your script to the destination above.
>
> Also, make sure your build process is running puppetserver ca setup as
> part of the process (that should ensure new installs have the right
> directory structure).
>
> If you're using this container as a lightweight vm and you've upgraded
> your server inside it, you'll need to somehow override the entrypoint to be
> a shell for you to work in (but you should look into using the container as
> an ephemeral thing with persistent mounts to save data between containers).
>
> If you're using this in a dev setup and are fine with your certs not
> persisting outside the life of the container you can effectively ignore the
> warning for now (but hopefully one of the ideas above will help you find
> the root cause of it).
>
>
> Also, you're the second person to mention having to pass the --config
> flag. That should only be necessary if you have a custom puppet.conf for
> some advanced purposes. I'm wondering if it was the help output to the CA
> tool that led you in that direction? I could see the current text being
> confusing, just wondering if we should change:
>
> > Use the currently configured puppet.conf file in your installation, or
> supply one using the `--config` flag.
>
> to something like
>
> > Uses the default puppet.conf in your installation, override by supplying
> the --config flag.
>
> ?
>
>
> Hope that helps,
> Justin
>
>
>
>
> On Thu, Mar 4, 2021 at 8:05 AM Gwen Clayde  wrote:
>
>> Hi,
>>
>> I want to solve this issue " The cadir is currently configured to be
>> inside the /etc/puppetlabs/puppet/ssl directory"
>>
>> The first step is :
>> puppetserver ca migrate --config
>>
>> After this , I got this message : "Puppetserver service is running.
>> Please stop it before attempting to run this command"
>>
>> i use puppet inside a docker container, if i stop it , i couldn't execute
>> the command of the first step.
>>
>> Is there another way to solve this problem?
>>
>> Thanks.
>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to puppet-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/CACWwVtOMfy16NxMxZtNqLV1VR-ei6DaEihzF11M1v3ut9VbSJA%40mail.gmail.com
>> <https://groups.google.com/d/msgid/puppet-users/CACWwVtOMfy16NxMxZtNqLV1VR-ei6DaEihzF11M1v3ut9VbSJA%40mail.gmail.com?utm_medium=email_source=footer>
>> .
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and s

Re: [Puppet Users] Puppetserver ca migrate

2021-03-04 Thread Justin Stoller 
Hi!

If you've mounted external volumes for your cadir like:

  --mount source=ca-volume,destination=/etc/puppetlabs/puppet/ssl/ca

You should instead mount the destination as /etc/puppetlabs/puppetserver/ca

If you have a Dockerfile that pre-populates your cadir you'll need to
update your script to the destination above.

Also, make sure your build process is running puppetserver ca setup as part
of the process (that should ensure new installs have the right directory
structure).

If you're using this container as a lightweight vm and you've upgraded your
server inside it, you'll need to somehow override the entrypoint to be a
shell for you to work in (but you should look into using the container as
an ephemeral thing with persistent mounts to save data between containers).

If you're using this in a dev setup and are fine with your certs not
persisting outside the life of the container you can effectively ignore the
warning for now (but hopefully one of the ideas above will help you find
the root cause of it).


Also, you're the second person to mention having to pass the --config flag.
That should only be necessary if you have a custom puppet.conf for some
advanced purposes. I'm wondering if it was the help output to the CA tool
that led you in that direction? I could see the current text being
confusing, just wondering if we should change:

> Use the currently configured puppet.conf file in your installation, or
supply one using the `--config` flag.

to something like

> Uses the default puppet.conf in your installation, override by supplying
the --config flag.

?


Hope that helps,
Justin




On Thu, Mar 4, 2021 at 8:05 AM Gwen Clayde  wrote:

> Hi,
>
> I want to solve this issue " The cadir is currently configured to be
> inside the /etc/puppetlabs/puppet/ssl directory"
>
> The first step is :
> puppetserver ca migrate --config
>
> After this , I got this message : "Puppetserver service is running. Please
> stop it before attempting to run this command"
>
> i use puppet inside a docker container, if i stop it , i couldn't execute
> the command of the first step.
>
> Is there another way to solve this problem?
>
> Thanks.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CACWwVtOMfy16NxMxZtNqLV1VR-ei6DaEihzF11M1v3ut9VbSJA%40mail.gmail.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqUKBsBfQ1FQ5sP5n%2BsM9RBqW7uMkB_3f%2BhFVPi9J-72%3DQ%40mail.gmail.com.

Re: [Puppet Users] Re: open source puppet-agent for ppc64le / power9 on rhel 8

2021-03-02 Thread Justin Stoller 
On Tue, Mar 2, 2021 at 9:05 AM Mark Dixon  wrote:

> Hi Nick,
>
> That's great news, for a moment there I was worried :)
>
> It's a new deployment so I'm fairly relaxed about puppet 6 vs. 7, but
> specifically I'm feeling the lack of any version at all for rhel8.
>

That's a weird thing with the top level /el/ directory. We definitely build
EL 8 builds internally and externally they're under /puppet/,
http://yum.puppetlabs.com/puppet/el/8/ .

If that doesn't work with the documented repo release packages let us know
as it'd be a bug.

 - Justin


> Best wishes,
>
> Mark
> On Tuesday, March 2, 2021 at 4:48:21 PM UTC Nick Walker wrote:
>
>> Hi Mark,
>>
>> We build for the Power architecture based on demand.  Since Puppet6 will
>> be will be supported for quite a while longer we didn't build Puppet7 on
>> Power and we can assess demand for Puppet 7 on Power.
>>
>> If you can reply to me with specifics of your environment I'm happy to
>> discuss further with you.
>>
>> Thanks,
>>
>> Nick
>>
>> On Tuesday, March 2, 2021 at 12:50:06 AM UTC-6 feed...@gmail.com wrote:
>>
>>> Hi all,
>>>
>>> Just been looking at yum.puppetlabs.com for a copy of the puppet agent
>>> for the ppc64le architecture on rhel8 and couldn't find one. I can see a
>>> rhel7 version of puppet6 (but not puppet7) and nothing at all for rhel8.
>>>
>>> Has open source puppet dropped support for IBM POWER9 clients, please?
>>>
>>> Thanks,
>>>
>>> Mark
>>>
>>> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/c5c26255-c52b-4580-af8d-9a28e9c0d2ebn%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqXZY7Z9okBfy8ZnVnS5UmzUy0BjkKvxWiMxpVzhpkXa9w%40mail.gmail.com.

Re: [Puppet Users] init config once

2021-01-31 Thread Justin Stoller 
Just to pile on. If you want the content updated whenever the package is
updated and you are managing the package with puppet you can "subscribe" to
the package resource to have the file resource only applied when the
package changes.

On Fri, Jan 29, 2021 at 11:47 AM Ben Ford  wrote:

> I do have a kind of terrible module that does exactly this I make no
> guarantees whatsoever about how well it works. I ended up not using it for
> much longer after building it.
>
> https://forge.puppet.com/modules/binford2k/manageonce
>
> On Fri, Jan 29, 2021 at 12:14 AM Martin Alfke  wrote:
>
>> A custom fact is the best way to report the status of the file on the
>> node to the master and have the file managed by Puppet based on the fact
>> value.
>>
>> Bolt needs ssh access to the systems (unless you are using Puppet
>> Enterprise which does not need ssh but uses a message queue on the master
>> and the pxp-agent on the nodes.).
>>
>> Besides this: Bolt must be executed manually
>>
>> On 29. Jan 2021, at 06:03, Benjamin Ridley  wrote:
>>
>> You might be better off using something like Puppet Bolt to deploy the
>> file as a one off task at provisioning, rather than trying to manage it
>> declaratively through Puppet.
>>
>> On Fri, 29 Jan 2021, 3:50 pm Steve McKuhr, 
>> wrote:
>>
>>> In an effort to avoid errors triggered by validate_cmd, I ended up
>>> using
>>> a conditional based on a File.exists custom fact. I'm still open to
>>> suggestions, this is all new territory to me.
>>>
>>>
>>> On Thu, 2021-01-28 at 17:13 -0800, Steve McKuhr wrote:
>>> > I've just realized that my problem statement was slightly misleading.
>>> A
>>> > 'users' file gets installed as part of the software package, and the
>>> > goal is replacing its contents during the first Puppet run. The next
>>> > Puppet runs should ignore any changes.
>>> >
>>> >
>>> > On Thu, 2021-01-28 at 20:07 +0100, Martin Alfke wrote:
>>> > > and please use ensure => file !
>>> > > this is more clear.
>>> > > you can set the file ensure attribute to one of the following: file,
>>> directory, link, absent
>>> > >
>>> > >
>>> > > > On 28. Jan 2021, at 18:58, Ben Ford  wrote:
>>> > > >
>>> > > > Yep, just use the replace attribute on the file resource.
>>> https://puppet.com/docs/puppet/latest/types/file.html#file-attribute-replace
>>> > > >
>>> > > > On Thu, Jan 28, 2021 at 9:57 AM Steve McKuhr <
>>> steve.mck...@gmail.com> wrote:
>>> > > > I'd like to initialize a user config file once, at software
>>> install time, then allow application admins to manage the file contents via
>>> web interface (add/remove users, etc.) - I have come up with the following:
>>> > > >
>>> > > > file { 'users':
>>> > > >   ensure => present,
>>> > > >   content => template('my-template'),
>>> > > >   validate_cmd => '/bin/test ! -f users.control',
>>> > > > }
>>> > > > file { 'users.control':
>>> > > >   ensure => present,
>>> > > >   content => "puppet managed",
>>> > > >   require => File['users'],
>>> > > > }
>>> > > >
>>> > > > The above code works ok, however I was wondering if there is a
>>> more elegant solution.
>>> > > >
>>> > > > Thanks,
>>> > > > Steve
>>> > > >
>>> > > >
>>> > > > --
>>> > > > You received this message because you are subscribed to the Google
>>> Groups "Puppet Users" group.
>>> > > > To unsubscribe from this group and stop receiving emails from it,
>>> send an email to puppet-users+unsubscr...@googlegroups.com.
>>> > > > To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/puppet-users/fb1ae2b4-f220-4d18-864b-aafbadb44b14n%40googlegroups.com
>>> .
>>> > > >
>>> > > > --
>>> > > > You received this message because you are subscribed to the Google
>>> Groups "Puppet Users" group.
>>> > > > To unsubscribe from this group and stop receiving emails from it,
>>> send an email to puppet-users+unsubscr...@googlegroups.com.
>>> > > > To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/puppet-users/CACkW_L5oTmsHiwvmVEisKap7gkUt1P4Gmvh1-%3DBQqNtHHiWAcA%40mail.gmail.com
>>> .
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Puppet Users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to puppet-users+unsubscr...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/puppet-users/7a518ea8c6214ea01e1ce3d6e76273ddfd576493.camel%40gmail.com
>>> .
>>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to puppet-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/CABaapw%2B3od6HtGXb8bGMncUXZWuiZW46frSfL62S%3DgjyqcJimg%40mail.gmail.com
>>

Re: [Puppet Users] Re: Older Ciphers? Weak Cipher Suites?

2020-11-10 Thread Justin Stoller 
We needed to upgrade Jetty but they changed their defaults and started
warning about weak ciphers. To avoid breaking folks we added back the
ciphers that had been allowed at the start of the 6.x series but that
causes a lot of warnings. If you don't have connections that rely on the
older ciphers you can remove the weak ciphers from puppetserver's
conf.d/webservers.conf and the warnings should go away. Let me know if the
release notes for 6.5 don't make sense.

On Tue, Nov 10, 2020 at 12:02 AM Dan Mahoney 
wrote:

> To be clear, here's the full list of what's warned about (each of these
> gets logged six times in succession, which I've deduplicated for brevity
> *except for the last one* so you can see that there are different addresses
> being listed).
>
> WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled for
> InternalSslContextFactory@3900153c
> [provider=null,keyStore=null,trustStore=null]
> WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for
> InternalSslContextFactory@3900153c
> [provider=null,keyStore=null,trustStore=null]
> WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for
> InternalSslContextFactory@3900153c
> [provider=null,keyStore=null,trustStore=null]
> WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled for
> InternalSslContextFactory@3900153c
> [provider=null,keyStore=null,trustStore=null]
> WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite
> TLS_RSA_WITH_AES_128_CBC_SHA enabled for InternalSslContextFactory@3900153c
> [provider=null,keyStore=null,trustStore=null]
> WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite
> TLS_RSA_WITH_AES_128_CBC_SHA256 enabled for
> InternalSslContextFactory@3900153c
> [provider=null,keyStore=null,trustStore=null]
> WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite
> TLS_RSA_WITH_AES_256_CBC_SHA enabled for InternalSslContextFactory@3900153c
> [provider=null,keyStore=null,trustStore=null]
> WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite
> TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for
> InternalSslContextFactory@3900153c
> [provider=null,keyStore=null,trustStore=null]
> WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite
> TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for
> InternalSslContextFactory@4f27d2a8
> [provider=null,keyStore=null,trustStore=null]
> WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite
> TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for
> InternalSslContextFactory@5a789c49
> [provider=null,keyStore=null,trustStore=null]
> WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite
> TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for
> InternalSslContextFactory@6593530a
> [provider=null,keyStore=null,trustStore=null]
> WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite
> TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for
> InternalSslContextFactory@71baa8f5
> [provider=null,keyStore=null,trustStore=null]
> WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite
> TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for
> InternalSslContextFactory@7beb914b
> [provider=null,keyStore=null,trustStore=null]
>
> On Monday, November 9, 2020 at 11:58:30 PM UTC-8 Dan Mahoney wrote:
>
>> All,
>>
>> This is probably nothing but I've searched the mailing lists and can't
>> find anything useful about this.  We're running our puppetmaster under
>> FreeBSD at the day job (puppet 6.18), and we see errors like this on
>> puppetserver startup in the logs:
>>
>> WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for
>> InternalSslContextFactory@7beb914b
>> [provider=null,keyStore=null,trustStore=null]
>> WARN [async-dispatch-2] [o.e.j.u.s.S.config] Weak cipher suite
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for
>> InternalSslContextFactory@3900153c
>> [provider=null,keyStore=null,trustStore=null]
>>
>> All in all, each warning is repeated several different times, and there's
>> probably seven or eight different ciphers.
>>
>> Java logging is...a mess, honestly, and it's pretty difficult to separate
>> signal from noise when you're trying to debug something.
>>
>> That said, I see release notes that something changed about weak ciphers
>> in 6.5, but we're not there yet.
>>
>> Is this something I should worry about, or just ignore?
>>
>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/b5ec5090-810b-4bbc-80b4-cab024b20722n%40googlegroups.com
>

Re: [Puppet Users] Puppet Compiled catalog very slow after upgrade puppetserver from puppet5 to puppet6

2020-09-17 Thread Justin Stoller 
This is a draft of a new 6.x tuning guide we're working on, it may be of
some help to you
https://tickets.puppetlabs.com/browse/SERVER-2771

The big things are a need for increased codecache and a very negative
effect of low max-requests-per-instance values.

hth,
Justin

On Thu, Sep 17, 2020 at 7:20 AM Yan Xiaofei  wrote:

>  Hello
>
> I upgrade one of our puppetserver from puppetserver-5.3.1- to
> puppetserver-6.13.0. The puppet server became very busy than before.
> The puppet compiled catalog time is about 10 times than before.
>
> Here is one of tGhe client report:
>
> catalog_application380.6643
> transaction_evaluation380.1565
> config_retrieval11.5068
> package8.7797
> augeas6.1567
> file4.1379
> node_retrieval2.1395
> fact_generation1.5989
> plugin_sync1.1549
> service0.6611
> convert_catalog0.6149
> exec0.1104
> cron0.0581
> sshd_config0.038
> kernel_parameter0.0154
> yumrepo0.0066
> user0.0037
> anchor0.0019
> group0.0015
> Total398.0497
>
> It take about 5 times than before.
>
> Here is one of client report, it take only 72 seconds to finish the
> configuration:
> catalog_application55.3449
> transaction_evaluation54.9467
> user12.4695
> config_retrieval11.4419
> package8.1218
> augeas6.0239
> service3.3816
> file2.6859
> fact_generation1.7699
> convert_catalog1.707
> plugin_sync0.7643
> node_retrieval0.6629
> exec0.1127
> cron0.0607
> sshd_config0.0397
> group0.0277
> kernel_parameter0.0174
> yumrepo0.0055
> anchor0.0017
> Total72.3976
>
> How to tuning the performance of new version puppetserver.
>
> Best Regards
> Xiaofei
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CAEneikT0wwfJ8e06a%3Dqryd5MBEe2X4%2B-wgdf_VXCh0QLH9kmSw%40mail.gmail.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqVNp_n87f8ZQxC6JqVKBhZmciTsj8tOvqhPMc6zWVMH0Q%40mail.gmail.com.

Re: [Puppet Users] Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: no parameter named 'quick_check'

2020-09-15 Thread Justin Stoller 
On Tue, Sep 15, 2020 at 5:25 AM pkraw...@gmail.com 
wrote:

> So I've done some research on the puppet generate types command.  I'm
> seeing many different results from not having issues to causing issues with
> puppet apply and puppet agent executions.

If I was to run this command and things go wrong, how do you reverse it?
> Remove the .resource_types directory?
>

Yep!


>
> On Friday, August 28, 2020 at 2:47:26 PM UTC-4 pkraw...@gmail.com wrote:
>
>> Justin, yes it's happening in all environments which leads me to believe
>> it's related to an old copy
>> in /opt/puppetlabs/puppet/cache/lib/puppet/type.  Still trying to wrap my
>> head around why one domain installation is fine and the other domain
>> installation is not.
>>
>> Here is the contents of that directory which works:
>> [root@myserverlab type]# pwd
>> /opt/puppetlabs/puppet/cache/lib/puppet/type
>> [root@myserverlab type]# ls -al
>> total 24
>> drwxr-xr-x 2 root root   77 Jul 16 16:04 .
>> drwxr-xr-x 6 root root   61 Feb  3  2020 ..
>> -rw-r--r-- 1 root root 1706 Jul 16 16:04 anchor.rb
>> -rw-r--r-- 1 root root 6921 Jul 16 16:04 file_line.rb
>> -rw-r--r-- 1 root root 1863 May  1  2017 httparch.rb
>> -rw-r--r-- 1 root root 6957 Jul 13 17:04 httpfile.rb
>> [root@myserverlab type]#
>>
>> Here is the contents of the directory that doesn't work:
>> [root@myserverprod type]# pwd
>> /opt/puppetlabs/puppet/cache/lib/puppet/type
>> [root@myserverprod type]# ls -al
>> total 24
>> drwxr-xr-x 2 root root   77 Sep 30  2018 .
>> drwxr-xr-x 6 root root   61 Apr 24  2017 ..
>> -rw-r--r-- 1 root root 1752 Sep 30  2018 anchor.rb
>> -rw-r--r-- 1 root root 7113 Sep 30  2018 file_line.rb
>> -rw-r--r-- 1 root root 1863 May 15  2017 httparch.rb
>> -rw-r--r-- 1 root root 6357 Apr 24  2017 httpfile.rb
>> [root@myserverprod type]#
>>
>> You can clearly see the date and size difference of httpfile.rb.  I
>> quadruple checked the puppet module directory on the prod server and the
>> code does have the quick_check parm.  For some reason it is just not
>> refreshing the server cache.  Both domains have a value of 0 for
>> environment_timeout for each environment.
>>
>> On Friday, August 28, 2020 at 2:32:05 PM UTC-4 Justin Stoller wrote:
>>
>>> On Fri, Aug 28, 2020 at 10:14 AM pkraw...@gmail.com 
>>> wrote:
>>>
>>>> Great info but I think I might have found the issue.
>>>>
>>>> So we don't use r10k to deploy code we use a different tool.  But what
>>>> I found is on the puppet server (master) the httpfile.rb in
>>>> /opt/puppetlabs/puppet/cache/lib/puppet/type is the older version.
>>>>
>>>
>>> I think puppet/cache is read by the agent not the server. I would expect
>>> that to cause problems on applying a catalog from the server, not result in
>>> a failed compilation. But barring a .resource_tyeps directory existing in
>>> an environment it must be an incorrect version of the httpfile.rb in the
>>> server's loadpath.
>>>
>>>
>>>> I didn't find any ./resource_types directory in our environment
>>>> directories so not sure if we are using environment isolation or not.
>>>>
>>>
>>> Just to clarify it will be ".resource_types" with a leading dot and will
>>> be hidden by default. [1]
>>>
>>>   As part of Justin's suggestion to allow the DELETE option to be valid,
>>>> I had to restart each of our 4 puppet servers so according to some of this
>>>> conversation, that should have refreshed the cache right?
>>>>
>>>
>>> Restarting or reloading will evict the in memory cache so if you have a
>>> very long environment_timeout it will work as well as doing an eviction of
>>> all your environments. It will not however remove any old files in your
>>> .resources_types directory. You will need to run the `puppet generate
>>> types` command with `--force` for that.
>>>
>>>
>>>>
>>>> What else is odd is the domain where the quick_check parm is work seems
>>>> to be getting refreshed somehow in /opt/puppetlabs/puppet/cache/lib/puppet
>>>> subdirectories (just looking at time stamps).  The deploy process works the
>>>> same in that domain along with the domain where quick_check is not working.
>>>>
>>>
>>> Can you validate that the failures happen not along a "domain" but along
>>> puppet environments. Like all the nodes that use httpfile in productio

Re: [Puppet Users] Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: no parameter named 'quick_check'

2020-08-28 Thread Justin Stoller 
On Fri, Aug 28, 2020 at 10:14 AM pkraw...@gmail.com 
wrote:

> Great info but I think I might have found the issue.
>
> So we don't use r10k to deploy code we use a different tool.  But what I
> found is on the puppet server (master) the httpfile.rb in
> /opt/puppetlabs/puppet/cache/lib/puppet/type is the older version.
>

I think puppet/cache is read by the agent not the server. I would expect
that to cause problems on applying a catalog from the server, not result in
a failed compilation. But barring a .resource_tyeps directory existing in
an environment it must be an incorrect version of the httpfile.rb in the
server's loadpath.


> I didn't find any ./resource_types directory in our environment
> directories so not sure if we are using environment isolation or not.
>

Just to clarify it will be ".resource_types" with a leading dot and will be
hidden by default. [1]

  As part of Justin's suggestion to allow the DELETE option to be valid, I
> had to restart each of our 4 puppet servers so according to some of this
> conversation, that should have refreshed the cache right?
>

Restarting or reloading will evict the in memory cache so if you have a
very long environment_timeout it will work as well as doing an eviction of
all your environments. It will not however remove any old files in your
.resources_types directory. You will need to run the `puppet generate
types` command with `--force` for that.


>
> What else is odd is the domain where the quick_check parm is work seems to
> be getting refreshed somehow in /opt/puppetlabs/puppet/cache/lib/puppet
> subdirectories (just looking at time stamps).  The deploy process works the
> same in that domain along with the domain where quick_check is not working.
>

Can you validate that the failures happen not along a "domain" but along
puppet environments. Like all the nodes that use httpfile in production
have this failure but those in staging don't have this issue? If you have
some succeeding and some failing I would expect this to be the environment
to be the condition causing the different behavior.


> Since the /opt/puppetlabs/bin/puppet generate types --environment
> production --force operates by environment, could this possible break the
> environment as well?  These are production boxes I need to run this on and
> want to make sure I don't break anything.  Also using the environment parm
> will this then setup environment isolation and do i have to manually manage
> that each time code is deployed to that environment?
>

The environment param to `puppet generate types` specifies which
environment to act on, without it the command will only act on the
environment specified in the puppet.conf for the "main" section (The "main"
or "user" sections are almost always unmanaged and adopt the default values
which would be "production" for "environment" setting).

Running the command should be a relatively safe command, however I'm going
to advocate for anyone "doing it live" on a production box. In PE we deploy
this code and run this command in a staging area and then either lock the
server while we copy the files over or atomically manage a symlink. If you
are using environment caching as well it should be even safer because types
will only be read from disk on the first compilation that uses them and
then cached in memory after that.

hth,
justin

1.
https://puppet.com/docs/puppet/6.17/environment_isolation.html#env_generate_types


On Tuesday, August 25, 2020 at 5:09:28 PM UTC-4 Justin Stoller wrote:
>
>> > why wouldn't puppet just do this automatically when a module changes?
>>
>> Some background. Puppet's type and provider system modifies the running
>> Puppet instance when they're _loaded_. This causes issues when you try to
>> load multiple conflicting versions of a type in different environments. To
>> work around this we have a kind of header file for your types that Puppet
>> can read w/o actually loading the type. This way Puppet Server can load
>> multiple versions of a type (as long as those different versions are in
>> different environments) and check that each environment uses the type
>> correctly for that version.
>>
>> The command Dirk gave you, loads those types safely in a separate process
>> and then serializes their parameter information into a format for Puppet to
>> later read that doesn't corrupt its global state. It places this
>> information in the ".resource_types" directory at the root of your
>> environment (like "/etc/puppetlabs/code/environments/production")
>>
>> Also, in order to speed up Puppet Server catalog compilation, we attempt
>> to cache information like type parameters.
>>
>> In PE, if you use our built in code

Re: [Puppet Users] Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: no parameter named 'quick_check'

2020-08-25 Thread Justin Stoller 
> why wouldn't puppet just do this automatically when a module changes?

Some background. Puppet's type and provider system modifies the running
Puppet instance when they're _loaded_. This causes issues when you try to
load multiple conflicting versions of a type in different environments. To
work around this we have a kind of header file for your types that Puppet
can read w/o actually loading the type. This way Puppet Server can load
multiple versions of a type (as long as those different versions are in
different environments) and check that each environment uses the type
correctly for that version.

The command Dirk gave you, loads those types safely in a separate process
and then serializes their parameter information into a format for Puppet to
later read that doesn't corrupt its global state. It places this
information in the ".resource_types" directory at the root of your
environment (like "/etc/puppetlabs/code/environments/production")

Also, in order to speed up Puppet Server catalog compilation, we attempt to
cache information like type parameters.

In PE, if you use our built in code management facilities, we generate this
type information on every commit (if needed), distribute it to your
compilers, and then evict the environment cache so that any new information
will be read.

In FOSS, r10k has a config setting to generate this info when it deploys an
environment [1].


Now, the error you're ultimately getting involves Puppet Server thinking
that you're using the httpfile class wrong. It looks like the "quick_check"
field was added in the latest version. So really the first question would
be, are you using the latest version in this environment?

Assuming you're doing that you probably either have the environment cache
containing an older version of the module (which should be resolved by
restarting the server or evicting the environment cache) or an old
.resource_types in the root of your environment that should be removed and
regenerated like Dirk said. Possibly you could have an older version in a
different environment that's being loaded first, but I don't think that'd
cause a problem for uncached, new parameters on a type.

HTH,
Justin

1.
https://github.com/puppetlabs/r10k/blob/master/doc/dynamic-environments/configuration.mkd#generate_types

On Tue, Aug 25, 2020 at 9:42 AM pkraw...@gmail.com 
wrote:

> So a followup to the original question.
>
> As a test we created a simple module on the node which is failing when
> puppet agent executes.  Running puppet apply, the parameter quick_check is
> found and the module completes successfully.  So why would puppet apply
> work and not puppet agent?
>
> Code:
>
> class testmod()
>
>   {
>
>   httpfile { "ansible-2.8.0a1.tar.gz":
>
> ensure  => present,
>
> path=> "/u01/testmod/ansible-2.8.0a1.tar.gz",
>
> source  => "
> https://mynexus.domain.com/nexus/repository/ae-raw-ansible-group/ansible/ansible-2.8.0a1.tar.gz
> 
> ",
>
> quick_check => true,
>
>   # hash=> 'hex form SHA2 hash OR an URL to the .sha file with that
> hash'
>
>}
>
>   }
>
>
>
> Here is my run:
> [root@node testmod]# puppet apply --modulepath=/home/toor --test -e
> "include testmod" --verbose
>
> On Tuesday, August 25, 2020 at 12:38:05 PM UTC-4 pkraw...@gmail.com wrote:
>
>> Dirk, why wouldn't puppet just do this automatically when a module
>> changes?  Is there a bug somewhere?
>>
>> On Tuesday, August 25, 2020 at 2:43:03 AM UTC-4 Dirk Heinrichs wrote:
>>
>>> Am Montag, den 24.08.2020, 11:06 -0700 schrieb pkraw...@gmail.com:
>>>
>>> Justin, I implemented the suggestion you made however after running the
>>> curl command against the 2 environments having the issue and receiving the
>>> 204 response, the puppet module is still getting the 500 error.  Do you or
>>> anyone else have any other suggestions?  Is it possible it's related to
>>> ruby and/or java?  Frankly I'm stumped.
>>>
>>>
>>> Didn't see this earlier, sorry.
>>>
>>> The "no parameter named 'xxx'" error can usually be resolved by
>>> recreating the metadata for your Puppet environment(s). This can be done on
>>> the Puppet master using the following command (for the production
>>> environment):
>>>
>>> /opt/puppetlabs/bin/puppet generate types --environment production
>>> --force
>>>
>>> I've added this command to my environment update script after running
>>> into this problem myself a few months ago after updating some external
>>> modules from the forge.
>>>
>>> See https://puppet.com/docs/puppet/5.5/environment_isolation.html for
>>> the details.
>>>
>>> HTH...
>>>
>>> Dirk
>>>
>>> --
>>>
>>> *Dirk Heinrichs*
>>> Senior Systems Engineer, Delivery Pipeline
>>> OpenText ™ Discovery | Recommind
>>> *Phone*: +49 2226 15966 18 <+49%202226%201596618>
>>> *Email*: dhei...@opentext.com
>>> *Website*: www.recommind.de
>>> Recommind GmbH, Von-Liebig-Straße 1, 53359 Rheinbach
>>>

Re: [Puppet Users] Puppet Rest API's list

2020-08-12 Thread Justin Stoller 
Let us know if they aren't easily findable from google or through the docs
page. fwiw, they're linked by service/product like:
db: https://puppet.com/docs/puppetdb/latest/api/index.html
server: https://puppet.com/docs/puppetserver/latest/http_api_index.html
and pe: https://puppet.com/docs/pe/2019.8/api_index.html

On Tue, Aug 11, 2020 at 10:47 PM Vinay Korrapati 
wrote:

> Hi Team,
>
> Can we have all the puppet rest api's list ?
> eg:
> https://localhost:8081/pdb/query/v4/nodes/
>  https://localhost:8081/pdb/query/v4/facts/
>
> Regards
> Vinay
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/31c5c006-9c2a-440e-90b5-f1c54da6d52ao%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqUyBLzr%2B2SUM_ofEKW_m4V2nnhn8_ObRDZit8fgrMDuMg%40mail.gmail.com.

Re: [Puppet Users] Alternative autosign parameter

2020-08-05 Thread Justin Stoller 
On Wed, Aug 5, 2020 at 9:10 AM alexey@gmail.com <
alexey.potyo...@gmail.com> wrote:

> Is it possible to configure the automatic signing of certificates in such
> a way that verification takes place according to a parameter in the config
> on the client. For example, the client config will contain the line:
>
> autosign=5e8ff9bf55ba3508199d22e984129be6
>
> Thus, if the md5 hash is correct, then the CA will sign the certificate
>

I think the thing you're describing is an example of using a CSR Attribute
with a policy based autosigner. This is the entry to the docs pages about
that: https://puppet.com/docs/puppet/6.17/ssl_attributes_extensions.html.

The tl;dr is that you write a special yaml file to the agent and the agent
will include the data in that file in its CSR to the CA. Then you configure
the CA to call a script you write to decide if the cert should be signed.
Your script can then validate that the CSR contains the correct data
attached.


hth,
Justin

> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/825db62a-0163-4b51-b9f5-eac183136ae0n%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqVehMU2GyU9v7idLdGij0d8HZphRKn28QiBdJcvw2KD%2Bw%40mail.gmail.com.

Re: [Puppet Users] Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: no parameter named 'quick_check'

2020-07-17 Thread Justin Stoller 
On Fri, Jul 17, 2020 at 7:41 AM Peter Krawetzky 
wrote:

> Ok I figured out the curl command but I get this error:
>
> [root@mypuppetserver private_keys]# curl -v --header "Content-Type:
> application/json" --cert
> /etc/puppetlabs/puppet/ssl/certs/mypuppetserver.mydomain.com.pem
> --key
> /etc/puppetlabs/puppet/ssl/private_keys/mypuppetserver.mydomain.com.pem
> --cacert
> /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem -X DELETE
> https://mypuppetserver.mydomain.com:8140/puppet-admin-api/v1/environment-cache
> * About to connect() to mypuppetserver.mydomain.com port 8140 (#0)
> *   Trying xx.xx.xxx.xx...
> * Connected to mypuppetserver.mydomain.com (xx.xx.xxx.xx) port 8140 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> *   CAfile: /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem
>   CApath: none
> * NSS: client certificate from file
> *   subject: CN=mypuppetserver.mydomain.com
> *   start date: Aug 14 15:32:34 2018 GMT
> *   expire date: Aug 14 15:32:34 2023 GMT
> *   common name: mypuppetserver.mydomain.com
> *   issuer: CN=Puppet CA: mypuppetcaserver.mydomain.com
> * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
> * Server certificate:
> *   subject: CN=mypuppetserver.mydomain.com
> *   start date: Aug 14 15:32:34 2018 GMT
> *   expire date: Aug 14 15:32:34 2023 GMT
> *   common name: mypuppetserver.mydomain.com
> *   issuer: CN=Puppet CA: mypuppetcaserver.mydomain.com
> > DELETE /puppet-admin-api/v1/environment-cache HTTP/1.1
> > User-Agent: curl/7.29.0
> > Host: mypuppetserver.mydomain.com:8140
> > Accept: */*
> > Content-Type: application/json
> >
> < HTTP/1.1 403 Forbidden
> < Date: Fri, 17 Jul 2020 13:41:37 GMT
> < Content-Length: 115
> < Server: Jetty(9.4.z-SNAPSHOT)
> <
> * Connection #0 to host mypuppetserver.mydomain.com left intact
> Forbidden request: /puppet-admin-api/v1/environment-cache (method
> :delete). Please see the server logs for details.[root@mypuppetserver
> private_keys]#
>
> *puppetserver.log entries*:
> 2020-07-17 09:07:45,577 ERROR [qtp2067827614-66] [p.t.a.rules] Forbidden
> request: 0:0:0:0:0:0:0:1 access to /puppet-admin-api/v1/environment-cache
> (method :delete) (authenticated: false) denied by rule 'puppetlabs deny
> all'.
> 2020-07-17 09:07:45,585 ERROR [qtp2067827614-65] [p.t.a.rules] Forbidden
> request: 0:0:0:0:0:0:0:1 access to /puppet-admin-api/v1/environment-cache
> (method :delete) (authenticated: false) denied by rule 'puppetlabs deny
> all'.
> 2020-07-17 09:12:02,951 ERROR [qtp2067827614-63] [p.t.a.rules] Forbidden
> request: xx.xx.xxx.xx access to /puppet-admin-api/v1/environment-cache
> (method :delete) (authenticated: false) denied by rule 'puppetlabs deny
> all'.
> 2020-07-17 09:17:29,677 ERROR [qtp2067827614-61] [p.t.a.rules] Forbidden
> request: xx.xx.xxx.xx access to /puppet-admin-api/v1/environment-cache
> (method :delete) (authenticated: false) denied by rule 'puppetlabs deny
> all'.
> 2020-07-17 09:41:37,401 ERROR [qtp2067827614-63] [p.t.a.rules] Forbidden
> request: mypuppetserver.mydomain.com(xx.xx.xxx.xx) access to
> /puppet-admin-api/v1/environment-cache (method :delete) (authenticated:
> true) denied by rule 'puppetlabs deny all'.
>

This is from our auth subsystem which is configured at
/etc/puppetlabs/puppetserver/conf.d/auth.conf

It means there was no explicit auth rule for
"/puppet-admin-api/v1/environment-cache" so the default "deny all" rule was
applied.

You can create a rule in that auth.conf file, it will look something like:
https://github.com/puppetlabs/puppetserver/blob/master/ezbake/config/conf.d/auth.conf#L110-L119
The above rule allows any GET request to any url matching
":/puppet/v3/environments*" by a requester presenting a
certificate trusted by the Puppet CA and names that rule "puppetlabs
environments" for logging purposes. Copy pasting that and substituting
"/puppet-admin-api/v1/environment-cache" for the path, giving it a
different name, and a method of "delete" should work. If not (or you want
to do something different than allow any node to evict the cache) you can
see the complete docs on auth rules here:
https://github.com/puppetlabs/trapperkeeper-authorization/blob/master/doc/authorization-config.md#rules
.

You also might want to confirm that you have an environment_timeout set to
something troublesome too. You should be able to run `puppet config
--section master --environment  print environment_timeout` to see the
environment_timeout for the foo environment.

HTH,
Justin

-- 
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/173aa581-ddde-4e2a-aa46-b9666f93e844o%40googlegroups.com
>

Re: [Puppet Users] Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: no parameter named 'quick_check'

2020-07-16 Thread Justin Stoller 
It maybe because of a long environment timeout:
https://puppet.com/docs/puppet/5.5/environments_creating.html#task-3930
In PE this is set to unlimited by default when using code management. The
code manager will then manually evict the cache after a code deployment to
ensure that new code is viewable and old code is cached for as long as
possible. If you are caching code with a long environment timeout, but not
using code management you can also evict the cache by using the
environment-cache endpoint:
https://puppet.com/docs/puppetserver/latest/admin-api/v1/environment-cache.html

 HTH,
Justin

On Thu, Jul 16, 2020 at 10:52 AM Peter Krawetzky 
wrote:

> I've reviewed sever 500 error posts in here but the answers seem to differ
> based on the situation.
>
>
> One of our developers modified code to include a parameter available in
> httpfile 0.1.9 called quick_check.
>
> We have two installation of puppetserver one in lab domain and one in
> production domain.  Neither talk to the other domain.  It is completely
> isolated to the nodes in each domain.
>
> What's odd is lab works but when they deploy the code to production, it
> doesn't work and received the 500 error below.  I've compared everything
> between puppetserver versions, puppet versions, httpfile module versions,
> etc and nothing is obvious.
>
>
> This httpfile module is not installed using puppet module install but is
> placed in the same location as other modules created by the developers.
>
> I've verified the code was deployed correctly to each of the 4 production
> puppetservers (we use a load balancer to distribute the work) into the
> environment defined at the node (dev).
>
>
> Code:
> ### DOWNLOAD FROM REPO
> define oracle::remote_file($remote_location=undef, $mode='0644', $owner='
> root', $group='root'){
>
> httpfile { "${title}":
> ensure => present,
> path => "${title}",
> source => "$remote_location",
> quick_check => true,
> # hash => 'hex form SHA2 hash OR an URL to the .sha file with that hash'
> }
> file{$title:
> owner => $owner,
> group => $group,
> mode => $mode,
> require => Httpfile["${title}"],
> }
> }
>
>
> Error:
>
> 2020-07-15T08:35:15.325976-04:00 myserver puppet-agent[24036]: Could not
> retrieve catalog from remote server: Error 500 on SERVER: Server Error: no
> parameter named 'quick_check' (file:
> /u01/puppet/dev/modules/oracle/manifests/remote_file.pp, line: 6) on
> Httpfile[/var/opt/BESClient/LMT/oracle/options_packs_usage_statistics.sql]
> (file: /u01/puppet/dev/modules/oracle/manifests/remote_file.pp, line: 6) on
> node myserver.mydomain.com
>
>
> Any ideas what might be causing this?  Is there some cache not being
> refreshed on the pupperserver?
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/886fd9da-c841-4d8b-80f3-d23bc2429e68o%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqUfH_gMT2xBdfJNDcMsR%3D_0JLbVU70G9D%2BMyNpfURF1uQ%40mail.gmail.com.

Re: [Puppet Users] Re: revoke / delete node certificate from puppet ca remotely?

2020-07-15 Thread Justin Stoller 
In Puppet 6 and the latest Puppet 5 releases we shipped a subcommand with
Puppet Server `puppetserver ca` and an agent local subcommand `puppet ssl`
that can remotely manage the CA or manage an agent's local certificate info
respectively. These tools exist in Puppet 5 and and replaces the several
competing certificate related cli tools in Puppet 6.

Running `puppetserver ca revoke --certname server` from the Puppet Server
should let someone revoke a cert from the CLI in Puppet 6. On a different
host that command would return a 403 because the auth system expects the
user attempting the request to have a pp_cli_auth extension in their cert.
Here's that auth rule:
https://github.com/puppetlabs/puppetserver/blob/master/ezbake/config/conf.d/auth.conf#L60-L73

If you wanted a node to be able to manage it's own certificate you might be
able to do something more like how we auth catalog access:
https://github.com/puppetlabs/puppetserver/blob/master/ezbake/config/conf.d/auth.conf#L4-L14
That line makes it so only the node whose name matches a segment in the url
can access it. Additional docs for that file and what it can do are here:
https://github.com/puppetlabs/trapperkeeper-authorization/blob/master/doc/authorization-config.md#rules

hth,
Justin

On Tue, Jul 14, 2020 at 4:22 PM Randy Zagar  wrote:

> Did you ever get this to work?  I used a similar method in an engineering
> lab where systems regularly got re-imaged and, hence, needed to be able to
> revoke and clean their own cert on the puppet-ca
>
> On Thursday, August 17, 2017 at 12:23:10 PM UTC, Jason McMahan wrote:
>>
>> Good morning,
>> We installed a puppet agent on our citrix mgmt servers.
>> The problem became that the way it is done a golden image is used,
>> server_dev. Once sealed that spins off multiple other servers for stage and
>> prod environments.
>>
>> We want to know about the servers, ensure they are in configuration and
>> not drifting between rebuilds and keep reports for a history on them.
>>
>> The idea was to once they are done stop the service (not disable), delete
>> the ssl directory, then revoke and delete the cert on the puppetca.
>>
>>
>> Has anyone else attempt to revoke and delete cert remotely from the
>> puppetca?
>>
>> We are attempting a curl command like
>> curl -X DELETE   --tlsv1   --cacert
>> /etc/puppetlabs/puppet/ssl/certs/ca.pem   --cert
>> /etc/puppetlabs/puppet/ssl/certs/server.pem--key
>> /etc/puppetlabs/puppet/ssl/private_keys/server.pem   -H "Accept:
>> application/json"   -H "Content-Type: application/json"   -d
>> '{"desired_state":"revoked"}'
>> https://puppetcat:8140/puppet-ca/v1/certificate_status/server?environment=production
>>
>> But everytime we get forbidden 403 whether running curl command from
>> remote server or even the puppetca itself.
>> Attemped to add ip to
>>  /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf as well as
>> /etc/puppetlabs/puppetserver/conf.d/ca.conf but still same error.
>>
>>
>> Any help or suggestions would be greatly appreciated.
>> Thank you
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/8c9be388-990e-4d02-a376-b1d1dca394c9o%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqXXzTbArHvy3EXkEm9Dt9FMXGjOHrbKk7jOOoAkyFK6jA%40mail.gmail.com.

Re: [Puppet Users] Upgrade from puppet 5 to puppet 6

2020-06-24 Thread Justin Stoller 
On Wed, Jun 24, 2020 at 9:31 AM Aditya Gupta  wrote:

> Same error is coming even erb file is empty.
>

Have you changed the content of the included template function or written
your own?
If not I would assume it's coming from this line:
https://github.com/puppetlabs/puppet/blob/master/lib/puppet/parser/functions/template.rb#L15
However, I can't imagine the Puppet module being undefined when loading a
ruby function.
Is this running within Puppet Server as a normal catalog compilation or is
this happening when executing a different tool that might bootstrap Puppet
differently?


>
> On Friday, June 19, 2020 at 1:45:24 AM UTC+5:30, Justin Stoller wrote:
>>
>> providing the erb template would be valuable, if possible.
>>
>> The error looks like someone defined new constants w/in a custom function
>> file.
>> Is your erb file calling a custom function?
>>
>> On Thu, Jun 18, 2020 at 8:08 AM Aditya Gupta  wrote:
>>
>>> Hello All,
>>>
>>> Recently i have updated from puppet-5 to puppet-6 but after upgrade my
>>> erb stop working.
>>> It is throwing error:
>>>
>>> Error: Error while evaluating a Function Call, undefined method `[]' for
>>> Puppet::Pops::Loader::RubyLegacyFunctionInstantiator::Puppet:Module
>>>
>>
>>> Simple resource:
>>> file { '/etc/libvirt/libvirtd.conf':
>>> ensure  => file,
>>> path=> '/etc/libvirt/libvirtd.conf',
>>> content => template('kvm/libvirtd.conf.erb'),
>>> }
>>>
>>>
>>> Please suggest.
>>>
>>> Thanks,
>>> Aditya
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Puppet Users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to puppet...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/puppet-users/d541414b-9f12-4d0b-8abf-ecd00f67747ao%40googlegroups.com
>>> <https://groups.google.com/d/msgid/puppet-users/d541414b-9f12-4d0b-8abf-ecd00f67747ao%40googlegroups.com?utm_medium=email_source=footer>
>>> .
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/228686bf-5111-4b99-aa84-84fc3758c00bo%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/228686bf-5111-4b99-aa84-84fc3758c00bo%40googlegroups.com?utm_medium=email_source=footer>
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqUCpdYN%2B%2Bg7Y0bmx6tWJdPN6aAos01xFt7sRP5QN3%2BYbw%40mail.gmail.com.

Re: [Puppet Users] Upgrade from puppet 5 to puppet 6

2020-06-18 Thread Justin Stoller 
providing the erb template would be valuable, if possible.

The error looks like someone defined new constants w/in a custom function
file.
Is your erb file calling a custom function?

On Thu, Jun 18, 2020 at 8:08 AM Aditya Gupta  wrote:

> Hello All,
>
> Recently i have updated from puppet-5 to puppet-6 but after upgrade my erb
> stop working.
> It is throwing error:
>
> Error: Error while evaluating a Function Call, undefined method `[]' for
> Puppet::Pops::Loader::RubyLegacyFunctionInstantiator::Puppet:Module
>
> Simple resource:
> file { '/etc/libvirt/libvirtd.conf':
> ensure  => file,
> path=> '/etc/libvirt/libvirtd.conf',
> content => template('kvm/libvirtd.conf.erb'),
> }
>
>
> Please suggest.
>
> Thanks,
> Aditya
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/d541414b-9f12-4d0b-8abf-ecd00f67747ao%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqWjK_O1Z808eE62aPFzoSEs8ThaCM-Zq-HuvpJnZBWg3Q%40mail.gmail.com.

Re: [Puppet Users] How do I install Puppetserver for Ubuntu 20.04 (focal)?

2020-06-15 Thread Justin Stoller 
We shipped agent support for Focal but did not have plans to support it as
a master platform. I believe product was trying to gauge community interest
before committing to it and taking requests in
https://tickets.puppetlabs.com/browse/SERVER-2820.

>From an internal note it looks like they have decided to support it, but it
hasn't been prioritized yet. Commenting in the above ticket should help
with that.

HTH,
Justin

On Mon, Jun 15, 2020 at 1:54 AM Devminded  wrote:

> Hi.
>
> I'm trying to figure out how to install puppetserver on a Ubuntu 20.04
> (focal) but I cannot find any package.
> I have installed the https://apt.puppetlabs.com/puppet6-release-focal.deb
> but the puppetserver is not listed. In-fact the entire
> https://apt.puppetlabs.com/dists/focal/puppet6/binary-amd64/Packages file
> has very few packages listed compared to xenial and bionic.
>
> Has the puppetserver changed name, moved, merged or is it not ready until
> we have 20.04.1 in July?
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/55ce7284-9833-4bde-9e9e-e241e73f2f34o%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqUzz9v3U7BY3SCssmdgWhEm99pZmyKm-PboczWA9SPRtw%40mail.gmail.com.

Re: [Puppet Users] puppetserver - Performance and tuning

2020-06-15 Thread Justin Stoller 
You might want to have a target for memory per worker that you tune for.

In Puppet 5, if you are using the default JRuby 1.7 implementation, you
might start at 1/2G per JRuby on a small test box and go up in 1/4G
increments seeing how your average catalog performance changes. I want to
say most folks using JRuby 1.7 use between 0.5 and 1 G per instance (though
obviously some are going below or above that).

If you're using the optional JRuby 9k support in Puppet 5 or you've
upgraded to Puppet 6 where we use 9k by default then you will probably want
to start with a higher amount of memory to start out with (3/4 or 1G). With
9k you'll also want to make sure you have plenty of off heap CodeCache and
Metaspace available. I want to say with 9k I usually see folks with 0.75 to
1.5G and up to 100M of CodeCache per instance.

You'll basically want your memory to be large enough per jruby to hold a
catalog request in it w/o triggering a GC, though the more memory you have
allocated the longer the GC pauses.

Besides longer GC pause times there's some things to keep in mind when
scaling vertically.

After 32G of heap the JVM changes how it manages pointers and the size of
every object increases. Since every object is bigger you need more heap per
instance than you would on heaps smaller than 32G. You may need 120-150%
more per instance when using heaps larger than 32G.

If you're using 9k then there is a limit to the size of the CodeCache (2Gb,
iirc) that will effectively limit how many instances you can have per box.

CPU-wise a JRuby worker instance per [v]CPU is probably a good place to
start.

And regardless of box size, you should keep max-requests-per-instance
disabled. And while doing this it will really help to have meaningful
metrics reported. You might want to look into puppet_metrics_dashboard or
puppet_metrics_collector modules on the forge for a basic setup to get
started quickly.

HTH,
Justin

On Fri, Jun 12, 2020 at 7:04 AM Nerbolff  wrote:

> Hello, community,
>
>
> I wonder if my setup is properly thought out.
> I've got a 4000+ instance to puppetize.  and several puppetserver are
> available.
>
>
> - Ubuntu 18.04.3 LTS \n \l
> - puppetserver version: 5.3.10
>
>
> here the memory location based to 128Go installed on the machine:
> $ grep JAVA_ARGS  /etc/default/puppetserver
> JAVA_ARGS="-Xms64g -Xmx64g
> -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger"
>
> $ grep MemTotal /proc/meminfo
> MemTotal:   131736260 kB
>
> based to number of 20 core available hyperthreding is OFF.
> $ sudo grep max-active-instances
>  /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf |grep -v defau
> max-active-instances: 16
>
> $  lscpu | egrep 'Model name|Socket|Thread|NUMA|CPU\(s\)'
> CPU(s):  20
> On-line CPU(s) list: 0-19
> Thread(s) per core:  1
> Socket(s):   2
> NUMA node(s):2
> Model name:  Intel(R) Xeon(R) CPU E5-2630L v4 @ 1.80GHz
> NUMA node0 CPU(s):   0,2,4,6,8,10,12,14,16,18
> NUMA node1 CPU(s):   1,3,5,7,9,11,13,15,17,19
>
>
> Any advice/comments will be appreciated.
>
>
>
> Thanks
> N.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/d9e58408-f6df-4459-b540-30849ff5715ao%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqUgRbwyd%2BQdDzwcdTYCkQkb968U4XAgxqkwOx8x8OU%2BKA%40mail.gmail.com.

Re: [Puppet Users] SSL Port 8140 not running

2020-05-26 Thread Justin Stoller 
I'd expect errors from the service framework/java level to go into the
journal and/or /var/log/{messages,syslog}.
If the service framework says it's up and running and there's nothing in
the above logs there should be _something_ in
/var/log/puppetlabs/puppetserver.log

you might also want to double check the webserver values in your
/etc/puppetlabs/puppetserver/conf.d/  it should have a value that looks
something like:

webserver: {
...other configuration...
ssl-port: 8140
}

hth,
justin

On Tue, May 26, 2020 at 8:50 AM Andreas Meier  wrote:

> Hi Group!
>
> I am just trying to setup puppetserver 6.9.1 on linux.
> Service is starting, but no port 8140 is up and I don´t know why.
> I found noting in: /var/log/puppetlabs
>
> Can you please help?
>
> Best
> Andreas
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/17ae689e-e0e4-4d1f-9601-1ef7830737eb%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqVCAKuE78FMciUDPCak3miv8A_Eq0cKmkeEnY-CHP9%3Dpg%40mail.gmail.com.

Re: [Puppet Users] Puppet on Ubuntu Focal

2020-04-29 Thread Justin Stoller 
On Tue, Apr 28, 2020 at 4:46 PM comport3  wrote:

> Thanks for the update Gabriel, appreciated. Do you know when v6.15.0 is
> expected to be release, even approximately?
>

Hopefully tomorrow ( :

We're double checking things now for the release and unless we find a
blocker that's when it will go out.

FWIW, that will be for the agent, we haven't made a decision if it will be
a supported master platform yet.

In general we try to have agents available for the next FOSS release after
an OS update comes out (~1 month), though some systems require more work
than others. After we get agent support we evaluate master support but
that's more of a business decision that depends on user demand.

HTH,
Justin


> On Sunday, April 26, 2020 at 6:05:40 PM UTC+10, Gabriel Nagy wrote:
>>
>> Hi,
>>
>> Focal support will be added in the next puppet release (6.15.0). You can
>> still use the nightly builds in the meantime:
>> http://nightlies.puppet.com/apt/
>>
>> Thanks,
>> Gabriel
>>
>>
>> On Sun, Apr 26, 2020, 10:55 comport3  wrote:
>>
>>> This is the same as my experience on Friday - the release file is there
>>> but the packages are not yet available.
>>>
>>> The 'bionic' release and binaries work perfectly well though if it gets
>>> you past this step...
>>>
>>> On Sunday, April 26, 2020 at 1:07:14 AM UTC+10, Arpit sharma wrote:


 Actually I am using puppet as a standalone.

 I ran
 *wget http://apt.puppetlabs.com/puppet6-release-focal.deb
 *
 *dpkg -i puppet6-release-focal.deb *
 *apt update*

 then when I ran
 *apt install puppet-agent*
 This was the error

 Package puppet-agent is not available, but is referred to by another
 package.
 This may mean that the package is missing, has been obsoleted, or
 is only available from another source

 E: Package 'puppet-agent' has no installation candidate

 and when I ran
 apt install puppet it again installed
 *puppet -V*
 /usr/lib/ruby/vendor_ruby/puppet/util.rb:461: warning: URI.escape is
 obsolete
 5.5.10

 Few questions
 What is the difference between puppet and puppet-agent
 What is the difference between puppet in apt universe and the puppet
 installed after adding the given repo.
 On Saturday, April 25, 2020 at 4:46:58 PM UTC+5:30, Martin Alfke wrote:
>
> Are you using system ruby, installing puppet as a Ruby gem?
> No need to do this.
> Puppet Agent ships required ruby version.
> Just add the repo (http://apt.puppetlabs.com/puppet6-release-focal.deb)
> and then install puppet-agent package.
>
> hth,
> Martin
>
>
> > On 24. Apr 2020, at 17:27, Arpit sharma  wrote:
> >
> > Since Focal ships with Ruby 2.7 I am having trouble  using puppet on
> Focal
> > Mostly related to this issue
> > https://tickets.puppetlabs.com/browse/PUP-10247
> > When can we expect to have a stable version for Focal?
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send an email to puppet...@googlegroups.com.
> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/e8161f0c-d79b-4ab7-b592-358678380a1d%40googlegroups.com.
>
>
> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Puppet Users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to puppet...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/puppet-users/26a5edad-bf96-41ae-80d7-6d68f378b223%40googlegroups.com
>>> 
>>> .
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/c524c6b2-6321-481d-bec8-8aa27453e13d%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqV4ja%2B%2BHKn2VQA37A_iV8U-9%3DZdj1kXQ_pC%2Bn2rgPdGuA%40mail.gmail.com.

Re: [Puppet Users] PuppetDB latest version has disabled APIv1 metrics

2020-03-13 Thread Justin Stoller 
I believe a config value was added at:
metrics.metrics-webservice.mbeans.enabled
to match the jolokia one that controls v2.
However the default for the mbeans / v1 endpoint is now `false`.

Note that this is now the case for Puppet Server as well and can be
re-enabled with the same config value in its respective conf.d.

hth,
Justin

On Thu, Mar 12, 2020 at 7:23 PM comport3  wrote:

> The latest version of PuppetDB v6.9.1 has removed localhost access to the
> v1 API metrics.
> Ref https://puppet.com/security/cve/CVE-2020-7943/
>
> https://puppet.com/docs/puppet/latest/release_notes_puppet.html#puppet-resolved-issues-x.12.0
>
> Given it's only "disabled by default", this suggests there is (or, should
> be) a way to re-enable it, so we can continue using this excellent Icinga2
> plugin -
> https://github.com/xorpaul/check_puppetdb/
>
> Does anyone know how to re-enable the presently disabled functionality?
>
> This page should have info in my opinion, but doesn't
> https://puppet.com/docs/puppetdb/latest/api/metrics/v1/mbeans.html
>
> Issue tracked here: https://github.com/xorpaul/check_puppetdb/issues/14
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/bd6f9954-9e51-46d4-90f8-0d5fa407402b%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqWQ_uzLHg48jBnXAgLV%2BjBXqSULYhkRbovN%3D5RDHT1XdQ%40mail.gmail.com.

Re: [Puppet Users] The sense of the strict_hostname_checking boolean changed from 6.8.0-1 to 6.9.0-1 (Ubuntu 18)

2020-03-02 Thread Justin Stoller 
On Sun, Mar 1, 2020 at 4:38 PM Simon Tideswell  wrote:

> Hello
>
> In case someone else gets tripped up by this, when upgrading from 6.8.0-1
> to 6.9.0-1 on Ubuntu 18 (and possibly other platforms) the sense of
> *strict_hostname_checking* changes. Previously it appears it was set to
> *false* by default.
>
> This means that a node manifest like ...
>
> *node 'my-lovely-node' {*
> * stuff*
> *}*
>
> ... will work. But with the upgrade it changes to *true* meaning the
> above will not work (and chaos ensues).
>
> After the change, if you don't set strict_hostname_checking to false in
> puppet.conf for the Puppet master, you will need this ...
>
> *node 'my-lovely-node.mydomain.com ' {*
> * stuff*
> *}*
>
> Not a biggy, but I wasted half an hour or so one Saturday morning because
> of this. Hopefully if someone reads this before upgrading they can save a
> similar minor irritation.
>

Thanks for calling that out, Simon. It should be in the release notes but
that was done because the code that matches the nodename segments also
allows matching on several facts (hostname, domain, fqdn) as well as
certname.

Originally, this was an intentional design decision by Puppet (12+ years
ago) that a node could contribute to its own classification and that the
flexibility outweighed any security concerns (once a node's cert was
compromised the entire estate was effectively compromised as any node could
find out anything about any other node - including the master).

However, that was before the Puppet 4 language extensions, a reliable
external node classifier, or various fact improvements (or having to be
audited by large customer security teams). Since then we've generally built
Puppet features towards the idea that a compromised agent cert only
compromises that agent's info.

We looked into "fixing" the domain segment matching so that it only used
the node's certname but there were internal concerns that there could be
accidental leakage with "my-lovely-node.west.domain.com" retrieving "
my-lovely-node.east.domain.com"s classification. Consequently, we've
deprecated both strict_hostname_checking & node_name settings with the
intention of removing them in Puppet 7 (no eta).

We believe use cases served by those features are now available in the
Puppet language, eg:
node /my-lovely-node.*/ { ... }

We've left the setting in for now though so users can time their upgrades
to newer syntax appropriately.

HTH,
Justin


PS. h/t to @Abaddon for his work with us on this issue



> Simon
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/01b325c5-c9de-4fc4-97ed-b408b00d9cd9%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqV-p-JHY_e7v-gX5Lqk7WcxgGP89e97oOO9-KCudTnG8w%40mail.gmail.com.

Re: [Puppet Users] Re: Puppetserver performance plummeting a few hours after startup

2020-02-10 Thread Justin Stoller 
On Mon, Feb 10, 2020 at 1:44 AM Martijn Grendelman 
wrote:

> Hi Kevin and others who have responded,
>
> Thanks all for your tips. Unfortunately, no breakthroughs yet.
>
> The current state is this:
>
>- Both Puppetservers typically run at the latest version, currently
>both 6.8.0.
>- The primary server has 8 virtual cores and 12 GB of physical
>(virtualized) RAM, Java is running with -Xms6g -Xmx6g.
>- Max-active-instances is currently set to 7.
>- This morning, I added -XX:ReservedCodeCacheSize=1g to the JVM
>startup config.
>- The size of our 'environments' directory is 131 MB. We currently
>have 3 environments.
>
> I've been looking at JVM stats with 'jstat', and the server doesn't appear
> to spend any significant amount of time doing GC (seems to be about 1%).
>

fwiw, gceasy.io and their family of jvm analysis reports can be helpful if
you have the gc logs, etc available. You might want to see if you're
managing Metaspace (like -XX:MaxMetaspace=1G). Mostlikely not, and if you
were having issues I think it'd cause full GCs so its not likely a problem,
but its a thing to check. It should, if you have to manage it, have a
similar value to CodeCache.


>
> After a server restart, compilation times typically drop to 9 seconds on
> average (on the secondary server, it's 5 seconds consistently), but after a
> while, they go back to 30 or 40 seconds.
>

> As I noted in my first post, our server has an average  of less than 2
> concurrent agents talking to it, so I can't imagine this happening due to
> lack of resources. The fact that our secondary server handles a bigger load
> than the primary, with a third of the memory and only 2 cores, seems to
> confirm this.
>

One thing that gets folks is that each worker instance is pretty
heavy-weight (heap, non-heap, and cpu, even when relatively idle). If
you only need 2 or 3 instances, you should try lowering your max active
instances to that number and see what happens.

>
> So:
> - enough CPU power (I would think)
> - enough memory
> - no significant garbage collection
> - Puppetserver causing a load of 5
>

I also asked about max-requests-per-instance, ideally it should be 0 (ie
off) or some very high number (like 100).


> Any more tips? Would it make sense to run PuppetDB and PostgreSQL on a
> different VM?
>

If that's the biggest difference you might want to go in that direction.
I've seen PSQL tuned to where it's different child processes would consume
way more memory than intended. You'd probably want to confirm that with
top, et al.


> Thanks,
> Martijn Grendelman.
>
>
>
>
>
>
>
>
>
>
> Op 6-2-2020 om 17:43 schreef KevinR:
>
> Hi Martijn,
>
> it sounds like you have a sub-optimal combination of:
>
>- The amount of JRubies
>- The total amount of java heap memory for puppetserver
>- The size of your code base
>
> This typically causes the kind of problems you're experiencing. What's
> happening in a nutshell is that puppet is loading so much code in memory
> that is starts running out of it and starts performing garbage collection
> more and more aggressively. At the end, 95% of all cpu cycles are spent on
> garbage collection and you don't have any cpu cycles left over to actually
> do work like compile catalogs...
>
> To understand how Puppet loads code into memory:
>
> Your code base is:  ( [ size of your control-repo ] + [ size of all the
> modules from the Puppetfile ] )  x  [ the amount of puppet code
> environments]
> So let's say:
>
>- your control repo is 5MB in size
>- all modules together are 95MB in size
>- you have 4 code environments: development, testing, acceptance and
>production
>
> That's 100MB of code to load in memory, per environment. For 4
> environments, that's 400MB.
> A different way to get this amount directly is to run *du -h
> /etc/puppetlabs/code/environments* on the puppet master and look at the
> size reported for */etc/puppetlabs/code/environments*
>
> Now every JRuby will load that entire code base into memory. So if you
> have 4 JRubies, that's 1600MB of java heap memory that's actually needed.
> You can imagine what problems will happen if there isn't this much heap
> memory configured...
>
> If you're using the defaults, Puppet will create the same amount of
> JRubies as the number of cpu cores on your master, minus 1, with a maximum
> of 4 JRubies for the system.
> If you override the defaults, you can specify any number of JRubies you
> want with the max-active-instances setting.
>
> So by default a 2-cpu puppet master will create 1 JRuby, a 4-cpu puppet
> master will create 3 JRubies, an 8-cpu puppet master will create 4 JRubies.
>
> So now you know how to determine the amount of java heap memory you need
> to configure, which you can do by configuring the -Xmx and -Xms options in
> the JAVA_ARGS section of the puppetserver startup command.
> Then finally make sure the host has enough physical memory available to
> provide this increased amount

Re: [Puppet Users] Re: Puppetserver performance plummeting a few hours after startup

2020-02-06 Thread Justin Stoller 
Yvan your issue sounds like https://tickets.puppetlabs.com/browse/PUP-3647,
do you know if that is fixed now, or has regressed since then?

Your issue does sound like a CodeCache or Metaspace issue.

One tunable you didn't mention was "max-active-instances" I've found a
bunch of folks that turned that very low to combat leaky code in 5.x or
4.x, despite it causing Puppet & the ruby runtime to be reloaded
frequently. In 6.x that loading became much more expensive so small values
of "max-active-instances" can be very detrimental to performance (and
contribute to excessive Metaspace/CodeCache usage).

This is also assuming that your servers are both 6.x and both at the same
version. Can you confirm that? There are recent improvements in Server
performance that could contribute (though probably not completely explain)
the difference in performance your seeing if your new Server is the latest
version and your old server hasn't been upgraded in a few months.

HTH,
Justin



On Thu, Feb 6, 2020 at 8:43 AM KevinR  wrote:

> Hi Martijn,
>
> it sounds like you have a sub-optimal combination of:
>
>- The amount of JRubies
>- The total amount of java heap memory for puppetserver
>- The size of your code base
>
> This typically causes the kind of problems you're experiencing. What's
> happening in a nutshell is that puppet is loading so much code in memory
> that is starts running out of it and starts performing garbage collection
> more and more aggressively. At the end, 95% of all cpu cycles are spent on
> garbage collection and you don't have any cpu cycles left over to actually
> do work like compile catalogs...
>
> To understand how Puppet loads code into memory:
>
> Your code base is:  ( [ size of your control-repo ] + [ size of all the
> modules from the Puppetfile ] )  x  [ the amount of puppet code
> environments]
> So let's say:
>
>- your control repo is 5MB in size
>- all modules together are 95MB in size
>- you have 4 code environments: development, testing, acceptance and
>production
>
> That's 100MB of code to load in memory, per environment. For 4
> environments, that's 400MB.
> A different way to get this amount directly is to run *du -h
> /etc/puppetlabs/code/environments* on the puppet master and look at the
> size reported for */etc/puppetlabs/code/environments*
>
> Now every JRuby will load that entire code base into memory. So if you
> have 4 JRubies, that's 1600MB of java heap memory that's actually needed.
> You can imagine what problems will happen if there isn't this much heap
> memory configured...
>
> If you're using the defaults, Puppet will create the same amount of
> JRubies as the number of cpu cores on your master, minus 1, with a maximum
> of 4 JRubies for the system.
> If you override the defaults, you can specify any number of JRubies you
> want with the max-active-instances setting.
>
> So by default a 2-cpu puppet master will create 1 JRuby, a 4-cpu puppet
> master will create 3 JRubies, an 8-cpu puppet master will create 4 JRubies.
>
> So now you know how to determine the amount of java heap memory you need
> to configure, which you can do by configuring the -Xmx and -Xms options in
> the JAVA_ARGS section of the puppetserver startup command.
> Then finally make sure the host has enough physical memory available to
> provide this increased amount of java heap memory.
>
> Once enough java heap memory is provided, you'll see the cpu usage stay
> stable.
>
> Kind regards,
>
> Kevin Reeuwijk
>
> Principal Sales Engineer @ Puppet
>
> On Thursday, February 6, 2020 at 11:51:42 AM UTC+1, Martijn Grendelman
> wrote:
>>
>> Hi,
>>
>> A question about Puppetserver performance.
>>
>> For quite a while now, our primary Puppet server is suffering from severe
>> slowness and high CPU usage. We have tried to tweak its settings, giving it
>> more memory (Xmx = 6 GB at the moment) and toying with the
>> 'max-active-instances' setting to no avail. The server has 8 virtual cores
>> and 12 GB memory in total, to run Pupperserver, PuppetDB and PostgreSQL.
>>
>> Notably, after a restart, the performance is acceptable for a while
>> (several hours, up to a almost day), but then it plummets again.
>>
>> We figured that the server was just unable to cope with the load (we had
>> over 270 nodes talking to it in 30 min intervals), so we added a second
>> master that now takes more than half of that load (150 nodes). That did not
>> make any difference at all for the primary server. The secondary server
>> however, has no trouble at all dealing with the load we gave it.
>>
>> In the graph below, that displays catalog compilation times for both
>> servers, you can see the new master in green. It has very constant high
>> performance. The old master is in yellow. After a restart, the compile
>> times are good (not great) for a while.The first dip represents ca. 4
>> hours, the second dip was 18 hours. At some point, the catalog compilation
>> times sky-rocket, as does the server load.

[Puppet Users] Re: puppet --trace content

2019-11-27 Thread Justin Stoller 
This will be my last note about this. I'll probably start work on it later
_next_ week.

fwiw, I'm leaning towards something like `--trace` returns just the ruby
stacktrace, `--puppet_trace` returns just the puppet code stack, and
passing both interleave them similar to previous behavior (but if more
folks are concerned about this having been a breaking change I can put the
solitary `--trace` output back to having them interleaved).

On Thu, Nov 21, 2019 at 10:41 AM Justin Stoller  wrote:

> Hello!
>
> I noticed that the way we were computing the "Puppet" stack (ie the files
> and line numbers from function calls within Puppet code like `fqdn_rand()`)
> had become slow and was likely to become slower. In my attempt to improve
> the situation I focused on ensuring backwards compatibility with callers of
> the PuppetStack api (like the stdlib function `deprecation`).
>
> However there was a change in the output of `puppet --trace` (when using
> puppet apply or puppet agent, or in the server logs). The output of the
> Ruby stack traces used to have the Puppet code stack interleaved. I tried
> putting example stack traces in this email and it became a bit unwieldy, so
> I'll refer you to the ticket[1] where there are examples.
>
> My questions, also posed in the ticket, are:
> Is interleaving the Puppet stack trace into the Ruby stack trace valuable
> to most users (and should go back to being the default)?
> Are there workflows where you'd like to see just one (the Puppet stack),
> the other (Ruby), or both (ie, do we need more trace options, and if so how
> important are they relative to each other)?
>
> I don't know if I'll get *something* around this for the next release, but
> I will probably start work on it relatively soon. I'd love your feedback,
> either in-line or in the linked ticket, to help figure out *what* that
> something is (go back to interleaving vs provide different flags for
> different traces).
>
>
> Thanks,
> Justin
>
> 1. https://tickets.puppetlabs.com/browse/PUP-10150
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqWLEVe3VL2-57xSV_KPErFiQ9X%3DjoO68gskL6GBqLhZhw%40mail.gmail.com.

[Puppet Users] puppet --trace content

2019-11-21 Thread Justin Stoller 
Hello!

I noticed that the way we were computing the "Puppet" stack (ie the files
and line numbers from function calls within Puppet code like `fqdn_rand()`)
had become slow and was likely to become slower. In my attempt to improve
the situation I focused on ensuring backwards compatibility with callers of
the PuppetStack api (like the stdlib function `deprecation`).

However there was a change in the output of `puppet --trace` (when using
puppet apply or puppet agent, or in the server logs). The output of the
Ruby stack traces used to have the Puppet code stack interleaved. I tried
putting example stack traces in this email and it became a bit unwieldy, so
I'll refer you to the ticket[1] where there are examples.

My questions, also posed in the ticket, are:
Is interleaving the Puppet stack trace into the Ruby stack trace valuable
to most users (and should go back to being the default)?
Are there workflows where you'd like to see just one (the Puppet stack),
the other (Ruby), or both (ie, do we need more trace options, and if so how
important are they relative to each other)?

I don't know if I'll get *something* around this for the next release, but
I will probably start work on it relatively soon. I'd love your feedback,
either in-line or in the linked ticket, to help figure out *what* that
something is (go back to interleaving vs provide different flags for
different traces).


Thanks,
Justin

1. https://tickets.puppetlabs.com/browse/PUP-10150

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqXdanZYL0gvi4ebc%2BAvNGH_OaH3rpvFJD%3DU70_Cu0FNpg%40mail.gmail.com.

Re: [Puppet Users] PE 2019.2 with Puppet Agent 5.x (Turn off new Intermediate CA architecture)

2019-11-19 Thread Justin Stoller 
sorry for the delay, kid got sick.

On Sun, Nov 17, 2019 at 3:13 AM A Manzer  wrote:

> From what I saw, the new architecture is an Intermediate Signing Cert,
> signed by a bare *key*.  I'm not sure how I could copy that to an agent
> and have it trusted.
>

The $cadir/ca_crt.pem will contain both the intermediate and root cert. The
root's private key is also left in the cadir so you can put it in a safe
location. The intermediate's key is in the $cadir/ca_key.pem location.

IIRC, for a 5.x agent connecting to a 6.x CA you'd need to move the
ca_crt.pem and signed agent cert to the agent out of band, while also
disabling crl checking. Kinda defeats the purpose of enabling intermediate
CAs if you have to disable the CRL though. But, the refactor to handle CRL
chains wasn't something we were comfortable putting into an LTS right away.
And most folks we've talked to have an older CA infrastructure w/ new
agents, so the backport hasn't been prioritized.

>
> turn off your master, delete your ssldir and restart it to have it create
>> a self signed root.
>>
> This is what I want to do!  But I'm not sure what options to set during
> installation/setup to turn that off.
>

If you have an existing ssldir I think PE will install w/o additional
configuration and just use the existing certs/keys. The installer mostly
runs Puppet and the code that bootstraps it is basically an `exec {
"puppetserver ca setup": creates => "/etc/puppetlabs/puppet/ssl/ca" }` .

I *think* the master, if the service starts and there isn't an ssldir, will
re-create the keys/certs it needs, but as a 5.x compatible self signed root
- but don't try that unless you're prepared for everything to fail. I think
we left the old bootstrap code in there for demo purposes, but it's not
actively maintained.

Again, there's probably a better way w/in PE to distribute the certs once
you've regen them for the CA/master to the console/pdb, but I don't know
it. You might want to try #puppet-enterprise in the community slack channel.


hth,
Justin

>
>
> On Saturday, November 16, 2019 at 4:46:01 PM UTC-5, Justin Stoller wrote:
>>
>> Depending on your security inclinations you might try turning crl
>> checking off on your 5.5 agent (iirc, that was the biggest issue - if not
>> the only issue). You might have to also copy the signed cert over to the
>> agent too).
>>
>> Otherwise, you may be able to turn off your master, delete your ssldir
>> and restart it to have it create a self signed root. Make sure the agent on
>> the master can then check in. I don't remember how that cert is then
>> propagated out to pdb and the console. You'll either need to hunt and
>> replace on disk (there's gotta be a task or `puppet infra` command though),
>> or uninstall/re-install pe (iirc, you can install a fresh pe onto an
>> existing ssldir).
>>
>> hth
>>
>> On Sat, Nov 16, 2019 at 4:33 AM A Manzer  wrote:
>>
>>> Using the LTS is one option.
>>>
>>> I disagree that it says that pre-6 agents won't play with a 6 server.
>>> On that page I linked, there's a compatibility matrix that shows 5.x agents
>>> are compatible with PE 2019.1.  Also, the first phrase of the quote says
>>> that I can use pre-6.x agents.
>>>
>>> I think I'm closer: I found a page on Puppet 6 Intermediate CA
>>> <https://puppet.com/docs/puppetserver/6.0/intermediate_ca.html>, but it
>>> only tells me how to convert *to* an intermediate CA architecture, not
>>> *from* an intermediate CA architecture.
>>>
>>> On Saturday, November 16, 2019 at 7:02:01 AM UTC-5, LinuxDan wrote:
>>>>
>>>> Use 2018.1.11 (LTS)
>>>>
>>>> It clearly says that pre-6 agents won’t play with a 6 server.
>>>>
>>>> —-
>>>>
>>>> "Sometimes I think the surest sign that intelligent life exists
>>>> elsewhere in the universe is that none of it has tried to contact us."
>>>>
>>>> Bill Waterson (Calvin & Hobbes)
>>>>
>>>> On Nov 16, 2019, at 6:50 AM, A Manzer  wrote:
>>>>
>>>> 
>>>> I've been using Puppet Enterprise at work quite successfully for a long
>>>> time.  So I finally decided to take advantage of the "Run 10 nodes for
>>>> free" offer and run PE at home.
>>>>
>>>> I've set up my PE server using the latest 2019.2.1.  My desktop
>>>> computer runs Ubuntu 18.04, and I was able to `curl | sudo bash` to install
>>>> version 6.10.1 of the agent.
>>>>
>>>> But I'm really interested in running Puppet on

Re: [Puppet Users] PE 2019.2 with Puppet Agent 5.x (CA issue?)

2019-11-16 Thread Justin Stoller 
Depending on your security inclinations you might try turning crl checking
off on your 5.5 agent (iirc, that was the biggest issue - if not the only
issue). You might have to also copy the signed cert over to the agent too).

Otherwise, you may be able to turn off your master, delete your ssldir and
restart it to have it create a self signed root. Make sure the agent on the
master can then check in. I don't remember how that cert is then propagated
out to pdb and the console. You'll either need to hunt and replace on disk
(there's gotta be a task or `puppet infra` command though), or
uninstall/re-install pe (iirc, you can install a fresh pe onto an existing
ssldir).

hth

On Sat, Nov 16, 2019 at 4:33 AM A Manzer  wrote:

> Using the LTS is one option.
>
> I disagree that it says that pre-6 agents won't play with a 6 server.  On
> that page I linked, there's a compatibility matrix that shows 5.x agents
> are compatible with PE 2019.1.  Also, the first phrase of the quote says
> that I can use pre-6.x agents.
>
> I think I'm closer: I found a page on Puppet 6 Intermediate CA
> , but it
> only tells me how to convert *to* an intermediate CA architecture, not
> *from* an intermediate CA architecture.
>
> On Saturday, November 16, 2019 at 7:02:01 AM UTC-5, LinuxDan wrote:
>>
>> Use 2018.1.11 (LTS)
>>
>> It clearly says that pre-6 agents won’t play with a 6 server.
>>
>> —-
>>
>> "Sometimes I think the surest sign that intelligent life exists elsewhere
>> in the universe is that none of it has tried to contact us."
>>
>> Bill Waterson (Calvin & Hobbes)
>>
>> On Nov 16, 2019, at 6:50 AM, A Manzer  wrote:
>>
>> 
>> I've been using Puppet Enterprise at work quite successfully for a long
>> time.  So I finally decided to take advantage of the "Run 10 nodes for
>> free" offer and run PE at home.
>>
>> I've set up my PE server using the latest 2019.2.1.  My desktop computer
>> runs Ubuntu 18.04, and I was able to `curl | sudo bash` to install version
>> 6.10.1 of the agent.
>>
>> But I'm really interested in running Puppet on my other Raspberry Pi
>> servers around the house.  So I installed Puppet version 5.5.10 from the
>> Raspbian archive and pointed it at my PE server.
>>
>> I'm able to see an unsigned certificate in my PE console, and sign it,
>> but then when I run puppet on my node, I get "Error: Could not request
>> certificate: SSL_connect returned=1 errno=0 state=error: certificate verify
>> failed: [unable to get issuer certificate for /CN=Puppet Enterprise CA
>> generated at +2019-*MM-DD HH:MM:SS*]"
>>
>> I think this is due to the fact that Puppet Server 6 now generates an
>> Intermediate Cert to sign Agent certs, rather than the older self-signed
>> root style.  The Component versions in recent PE releases
>> 
>> document says
>>
>> You can use pre-6.x agents with a Puppet 6.x or PE 2019.0 or later
>>> master, but this combination doesn't take advantage of the new intermediate
>>> certificate authority architecture introduced in Puppet Server 6.0. To
>>> adopt the new CA architecture, both your master and agents must be upgraded
>>> to at least 6.x/2019.0, and you must regenerate certificates. If you don't
>>> upgrade *all *of your nodes to 6.x, do not regenerate your
>>> certificates, because pre-6.x agents won't work with the new CA
>>> architecture.
>>>
>>
>> I think this is exactly the case I'm in.  I think my PE 2019.2.1
>> installation generated an intermediate cert architecture and my Puppet 5.5
>> agents don't understand it.
>>
>> My question is: *How do I turn this off?*  How do I revert to a
>> pre-puppet 6.0 self-signed root?  A pe.conf setting with a fresh install is
>> fine because I don't have anything yet configured in this installation.
>>
>> Thanks.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to puppet...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/2eb9336e-7f31-4917-9e7f-838e8739955d%40googlegroups.com
>> 
>> .
>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/d730edfc-9b11-4ae3-b4bd-66b59c76d66f%40googlegroups.com
> 
> .
>

-- 
You received this message

Re: [Puppet Users] Puppetserver 6.2.1 refuses to start after crash

2019-10-28 Thread Justin Stoller 
inline

On Fri, Oct 11, 2019 at 8:53 AM Sander de Boer  wrote:

> I have a problem with a with Foreman and Puppet server (6.2.1) on a KVM VM
> with Ubuntu 18.04.
> After a crash of the VM Foreman starts without a problem (no errors in
> it's logs) but puppetserver refuses with this JRuby java error below.
> Quite frankly I have no clue as to where to start looking.
>
> Anyone has any experience with this kind of error?
>
> 2019-10-09T09:18:02.909+02:00 INFO  [async-dispatch-2]
> [p.s.v.versioned-code-service] No code-id-command set for
> versioned-code-service. Code-id will be nil.
> 2019-10-09T09:18:02.910+02:00 INFO  [async-dispatch-2]
> [p.s.v.versioned-code-service] No code-content-command set for
> versioned-code-service. Attempting to fetch code content will fail.
> 2019-10-09T09:18:12.148+02:00 ERROR [clojure-agent-send-pool-0]
> [p.t.internal] shutdown-on-error triggered because of exception!
> java.lang.IllegalStateException: There was a problem adding a
> JRubyInstance to the pool.
> at
> puppetlabs.services.jruby_pool_manager.impl.jruby_agents$fn__32598$prime_pool_BANG___32603$fn__32607.invoke(jruby_agents.clj:75)
> at
> puppetlabs.services.jruby_pool_manager.impl.jruby_agents$fn__32598$prime_pool_BANG___32603.invoke(jruby_agents.clj:48)
> at
> puppetlabs.services.jruby_pool_manager.impl.jruby_agents$fn__32848$send_prime_pool_BANG___32853$fn__32854$fn__32855.invoke(jruby_agents.clj:233)
> at
> puppetlabs.trapperkeeper.internal$shutdown_on_error_STAR_.invokeStatic(internal.clj:389)
> at
> puppetlabs.trapperkeeper.internal$shutdown_on_error_STAR_.invoke(internal.clj:364)
> at
> puppetlabs.trapperkeeper.internal$shutdown_on_error_STAR_.invokeStatic(internal.clj:374)
> at
> puppetlabs.trapperkeeper.internal$shutdown_on_error_STAR_.invoke(internal.clj:364)
> at
> puppetlabs.trapperkeeper.internal$fn__14006$shutdown_service__14011$fn$reify__14013$service_fnk__4991__auto___positional$reify__14018.shutdown_on_error(internal.clj:429)
> at
> puppetlabs.trapperkeeper.internal$fn__13953$G__13938__13961.invoke(internal.clj:397)
> at
> puppetlabs.trapperkeeper.internal$fn__13953$G__13937__13970.invoke(internal.clj:397)
> at clojure.core$partial$fn__5824.invoke(core.clj:2625)
> at clojure.core$partial$fn__5824.invoke(core.clj:2624)
> at
> puppetlabs.services.jruby_pool_manager.impl.jruby_agents$fn__32573$send_agent__32578$fn__32579$agent_fn__32580.invoke(jruby_agents.clj:42)
> at clojure.core$binding_conveyor_fn$fn__5739.invoke(core.clj:2033)
> at clojure.lang.AFn.applyToHelper(AFn.java:154)
> at clojure.lang.RestFn.applyTo(RestFn.java:132)
> at clojure.lang.Agent$Action.doRun(Agent.java:114)
> at clojure.lang.Agent$Action.run(Agent.java:163)
> at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: org.jruby.embed.EvalFailedException: (LoadError) no such file
> to load -- concurrent
>

The concurrent ruby gem was added as a prerequisite for Puppet (in 6.9.0)
and Puppet Server (in 6.6.0). I assume you have the newest agent and it
can't find the concurrent gem within the Server environment. I would either
upgrade your Server to latest, or downgrade your Agent to one that was
released with that version of the Server (Agent 6.3.0, I believe), or
install the concurrent gem via puppetserver's gem utility (ie `puppetserver
gem install concurrent-ruby -v 1.1.5`).

Of those I would recommend upgrading your server since the 6.2.x stream
will no longer be receiving updates.

HTH,
Justin

at
> org.jruby.embed.internal.EmbedEvalUnitImpl.run(EmbedEvalUnitImpl.java:131)
> at
> org.jruby.embed.ScriptingContainer.runUnit(ScriptingContainer.java:1295)
> at
> org.jruby.embed.ScriptingContainer.runScriptlet(ScriptingContainer.java:1288)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at clojure.lang.Reflector.invokeMatchingMethod(Reflector.java:167)
> at clojure.lang.Reflector.invokeInstanceMethod(Reflector.java:102)
> at
> puppetlabs.services.jruby.jruby_puppet_core$fn__34109$get_initialize_pool_instance_fn__34114$fn__34115$fn__34116.invoke(jruby_puppet_core.clj:132)
> at
> puppetlabs.services.jruby_pool_manager.impl.jruby_internal$fn__32180$create_pool_instance_BANG___32189$fn__32192.invoke(jruby_internal.clj:211)
> at
> puppetlabs.services.jruby_pool_manager.impl.jruby_internal$fn__32180$create_pool_instance_BANG___32189.invoke(jruby_internal.clj:177)
> at
>

Re: [Puppet Users] Puppetserver fails with a load error of "concurrent"

2019-10-11 Thread Justin Stoller 
The Puppet Server and Puppet Agent brought in a dependency on the
concurrent gem in versions 6.7.0 & 6.9.0 respectively (the server and agent
are unfortunately versioned slightly differently).

On the master, the Agent and the Server also share Ruby code. So if you
have a Server >= 6.7 with an Agent < 6.9 or vice versa, you may see the
error for that reason.

The Server should work with many versions of the Agent over the wire,
however it requires a similar versioned agent to itself colocated on the
same host. I would see what Agent version you're running and either
downgrade the Agent or upgrade the Server.

On Fri, Oct 11, 2019 at 8:55 AM Sander de Boer  wrote:

> After a crash of the server (Ubuntu 18.04) our puppetserver (6.2.1)
> process refuses to start with the message it can not find the
> file/directory "concurrent".
> It looks like this is a JRuby/Java problem.
>
> ...
> Oct  9 09:18:12 foreman puppetserver[32556]: LoadError: no such file to
> load -- concurrent
> Oct  9 09:18:12 foreman puppetserver[32556]:   require at
> org/jruby/RubyKernel.java:970
> Oct  9 09:18:12 foreman puppetserver[32556]:   require at
> uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/rubygems/core_ext/kernel_require.rb:59
> Oct  9 09:18:12 foreman puppetserver[32556]: at
> /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/thread_local.rb:1
> Oct  9 09:18:12 foreman puppetserver[32556]:   require at
> org/jruby/RubyKernel.java:970
> Oct  9 09:18:12 foreman puppetserver[32556]:   require at
> uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/rubygems/core_ext/kernel_require.rb:59
> Oct  9 09:18:12 foreman puppetserver[32556]: at
> /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:1
> Oct  9 09:18:12 foreman puppetserver[32556]:   require at
> org/jruby/RubyKernel.java:970
> Oct  9 09:18:12 foreman puppetserver[32556]:   require at
> uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/rubygems/core_ext/kernel_require.rb:59
> Oct  9 09:18:12 foreman puppetserver[32556]:at
> /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/context.rb:1
> Oct  9 09:18:12 foreman puppetserver[32556]: at
> /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:1
> Oct  9 09:18:12 foreman puppetserver[32556]:   require at
> org/jruby/RubyKernel.java:970
> Oct  9 09:18:12 foreman puppetserver[32556]:Puppet at
> /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:41
> Oct  9 09:18:12 foreman puppetserver[32556]: at
> /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet.rb:38
> Oct  9 09:18:12 foreman puppetserver[32556]:   require at
> org/jruby/RubyKernel.java:970
> Oct  9 09:18:12 foreman puppetserver[32556]:(root) at
> uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/rubygems/core_ext/kernel_require.rb:1
> Oct  9 09:18:12 foreman puppetserver[32556]: at
> uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/rubygems/core_ext/kernel_require.rb:59
> Oct  9 09:18:12 foreman puppetserver[32556]:   require at
> org/jruby/RubyKernel.java:970
> Oct  9 09:18:12 foreman puppetserver[32556]:(root) at
> uri:classloader:/puppetserver-lib/puppet/server.rb:1
> Oct  9 09:18:12 foreman puppetserver[32556]: at
> uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/rubygems/core_ext/kernel_require.rb:1
> Oct  9 09:18:12 foreman puppetserver[32556]: Exception in thread "main"
> java.lang.IllegalStateException: There was a problem adding a JRubyInstance
> to the pool.
> ...
>
> Anyone any experience with this?
>
> Thanks in advance!
>
> Sander
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/3677619a-8bac-4ca0-811a-0a0ce73d2828%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqUP-SvfsNYwEgrh12v7T_rBhy09ANr4pKi0FLMQrJXWkQ%40mail.gmail.com.

Re: [Puppet Users] Puppet server won't start

2019-09-04 Thread Justin Stoller 
On Wed, Sep 4, 2019 at 12:16 PM 'Prentice Bisbal' via Puppet Users <
puppet-users@googlegroups.com> wrote:

> I'm doing a fresh install of Puppet6 on CentOS 7.6:
>
> # rpm -qa | grep puppet
> puppetserver-6.4.0-1.el7.noarch
> puppetdb-termini-6.3.4-1.el7.noarch
> puppet-bolt-1.26.0-1.el7.x86_64
> puppet-client-tools-1.2.6-1.el7.x86_64
> puppetdb-6.3.4-1.el7.noarch
> puppet-agent-6.8.1-1.el7.x86_64
> puppet6-release-6.0.0-5.el7.noarch
>
> # cat /etc/redhat-release
> CentOS Linux release 7.6.1810 (Core)
>
> I believe I have everything configured correctly, but when I try to
> start puppetserver, it fails to start:
>
> # systemctl start puppetserver
> Job for puppetserver.service failed because the control process exited
> with error code. See "systemctl status puppetserver.service" and
> "journalctl -xe" for details.
>
> The output of "systemctl status ..." and "journalctl -xe" aren't very
> helpful to me:
>
> # systemctl status puppetserver.service
> ● puppetserver.service - puppetserver Service
> Loaded: loaded (/usr/lib/systemd/system/puppetserver.service;
> enabled; vendor preset: disabled)
> Active: activating (start) since Wed 2019-09-04 15:10:53 EDT; 19s ago
>Control: 21586 (bash)
>  Tasks: 39 (limit: 4915)
> CGroup: /system.slice/puppetserver.service
> ├─21586 bash
> /opt/puppetlabs/server/apps/puppetserver/cli/apps/start
> ├─21593 /usr/bin/java -Xms2g -Xmx2g
> -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger
> -Djava.security.egd=/dev/urandom -XX:OnOutOfMemoryError=kill -9 %p -cp /...
> └─21708 sleep 1
>
> Sep 04 15:10:53 puppet.pppl.gov systemd[1]: Starting puppetserver
> Service...
>
> # journalctl -xe
> Sep 04 15:11:58 puppet.pppl.gov puppetserver[21871]: at
> org.jruby.RubyKernel.require(org/jruby/RubyKernel.java:970)
> Sep 04 15:11:58 puppet.pppl.gov puppetserver[21871]: at
>
> RUBY.require(uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/rubygems/core_ext/kernel_require.rb:59)
> Sep 04 15:11:58 puppet.pppl.gov puppetserver[21871]: at
> RUBY.(uri:classloader:/puppetserver-lib/puppet/server.rb:1)
> Sep 04 15:11:58 puppet.pppl.gov puppetserver[21871]: at
> org.jruby.RubyKernel.require(org/jruby/RubyKernel.java:970)
> Sep 04 15:11:58 puppet.pppl.gov puppetserver[21871]: at
>
> RUBY.(root)(uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/rubygems/core_ext/kernel_require.rb:1)
> Sep 04 15:11:58 puppet.pppl.gov puppetserver[21871]: at
>
> RUBY.(uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/rubygems/core_ext/kernel_require.rb:59)
>

This looks like part of stacktrace. Is there a full stacktrace in
/var/log/puppetlabs/puppetserver/puppetserver.log ? If there is it might
give more info.

Sep 04 15:11:58 puppet.pppl.gov puppetserver[21871]: Background process
> 21878 exited before start had completed
> Sep 04 15:11:58 puppet.pppl.gov systemd[1]: puppetserver.service:
> control process exited, code=exited status=1
> Sep 04 15:11:58 puppet.pppl.gov systemd[1]: Failed to start puppetserver
> Service.
> -- Subject: Unit puppetserver.service has failed
> -- Defined-By: systemd
> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> --
> -- Unit puppetserver.service has failed.
> --
> -- The result is failed.
> Sep 04 15:11:58 puppet.pppl.gov systemd[1]: Unit puppetserver.service
> entered failed state.
> Sep 04 15:11:58 puppet.pppl.gov systemd[1]: puppetserver.service failed.
> Sep 04 15:11:58 puppet.pppl.gov systemd[1]: puppetserver.service holdoff
> time over, scheduling restart.
> Sep 04 15:11:58 puppet.pppl.gov systemd[1]: Stopped puppetserver Service.
> -- Subject: Unit puppetserver.service has finished shutting down
> -- Defined-By: systemd
> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> --
> -- Unit puppetserver.service has finished shutting down.
> Sep 04 15:11:58 puppet.pppl.gov systemd[1]: Starting puppetserver
> Service...
> -- Subject: Unit puppetserver.service has begun start-up
> -- Defined-By: systemd
> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> --
> -- Unit puppetserver.service has begun starting up.
>
> However, the output of 'ps -ef | grep puppet' shows it's running:
>
> # ps -ef | grep puppet
> puppet   22299 1  0 15:12 ?00:00:00 bash
> /opt/puppetlabs/server/apps/puppetserver/cli/apps/start
> puppet   22306 22299 99 15:12 ?00:00:08 /usr/bin/java -Xms2g
> -Xmx2g -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger
> -Djava.security.egd=/dev/urandom -XX:OnOutOfMemoryError=kill -9 %p -cp
> /opt/puppetlabs/server/apps/puppetserver/puppet-server-release.jar:/opt/puppetlabs/server/data/puppetserver/jars/*
>
> clojure.main -m puppetlabs.trapperkeeper.main --config
> /etc/puppetlabs/puppetserver/conf.d --bootstrap-config
> /etc/puppetlabs/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/
>
> --restart-file /opt/puppetlabs/server/data/puppetserver/restartcounter
>
>

Re: [Puppet Users] Re: Could not retrieve file metadata for puppet:///files/limits-conf: Error 500 on SERVER: Server Error: Not authorized to call find on /file_metadata/files/limits-conf

2019-05-28 Thread Justin Stoller 
That's not an error from Puppet Server's HTTP auth.conf, it's an error from
Puppet's old auth.conf or its fileserver.conf. Note the "Not authorized to
call *find* on ..." Puppet Server's auth handles HTTP verbs like GET,
Puppet's indirector auth translates those to verbs like FIND or SEARCH.

>From that endpoint I would assume you have a custom mountpoint called
"files" with an incorrect allow statement. Is that correct?
See for details https://puppet.com/docs/puppet/6.4/file_serving.html

If that's true hopefully that page will help you correct the auth syntax,
though my suggestion would be to follow Alessandro's advice and update your
file structure to be able to put those files into a module and use the
module syntax, or put them on an http server and use regular http
endpoints, or, if you can use 6.x and need to secure the contents with a
key, use a client side function.

HTH,
Justin

On Tue, May 28, 2019 at 8:48 AM Chris Phillips  wrote:

> I thought the same and have tried that to no avail. I believe its because
> we are storing the files outside of the standard modules directory ie
> /etc/puppetlabs/code where as we are using /etc/puppetlabs/example/code.
>
> Thanks,
> Chris
>
> On May 28, 2019, at 6:03 AM, Alessandro Franceschi  wrote:
>
> In the file resource which manages /etc/bashrc you have probably a
> parameter like:
> *source => puppet:///files/etcbashrc*
>
> that should be something like:
>
> *source => puppet:///modules/$MODULENAME/etcbashrc*
>
> this implies that your source etcbashrc file is in a module called
> $MODULENAME in the files/etcbashrc location (note that you don't have to
> specify "files" in the source param.
>
> For details:
>
> https://puppet.com/docs/puppet/6.4/modules_fundamentals.html#files-in-modules
>
> On Thursday, May 23, 2019 at 10:13:38 PM UTC+2, Chris Phillips wrote:
>>
>> I am using Puppet v5.5.13 and am receiving the following error. Any help
>> would be appreciated.
>>
>> *Error: /Stage[main]/Profiles::Base/File[/etc/bashrc]: Could not
>> evaluate: Could not retrieve file metadata for puppet:///files/etcbashrc:
>> Error 500 on SERVER: Server Error: Not authorized to call find on
>> /file_metadata/files/etcbashrc with {:rest=>"files/etcbashrc",
>> :links=>"manage", :checksum_type=>"md5", :source_permissions=>"ignore"}*
>>
>>
>> *My auth.conf looks like:*
>>
>>
>> authorization: {
>>
>> version: 1
>>
>> allow-header-cert-info: false
>>
>> rules: [
>>
>> {
>>
>> # Allow file metadata
>>
>> match-request: {
>>
>> path: "^/file_(metadata|content)/files/"
>>
>> type: regex
>>
>> }
>>
>> allow: "*"
>>
>> sort-order: 400
>>
>> name: "access to all file metadata"
>>
>> },
>>
>> {
>>
>> # Allow any file access
>>
>>   match-request: {
>>
>> path: "^/puppet/v3/file_(content|metadata)s?/files"
>>
>> type: regex
>>
>> method: [get, post]
>>
>> }
>>
>> allow: "*"
>>
>> sort-order: 400
>>
>> name: "access to all files"
>>
>> },
>>
>> {
>>
>> # Allow nodes to retrieve their own catalog
>>
>> match-request: {
>>
>> path: "^/puppet/v3/catalog/([^/]+)$"
>>
>> type: regex
>>
>> method: [get, post]
>>
>> }
>>
>> allow: ["$1"]
>>
>> sort-order: 500
>>
>> name: "puppetlabs catalog"
>>
>> },
>>
>> {
>>
>> # Allow nodes to retrieve the certificate they requested
>> earlier
>>
>> match-request: {
>>
>> path: "/puppet-ca/v1/certificate/"
>>
>> type: path
>>
>> method: get
>>
>> }
>>
>> allow-unauthenticated: true
>>
>> sort-order: 500
>>
>> name: "puppetlabs certificate"
>>
>> },
>>
>> {
>>
>> # Allow all nodes to access the certificate revocation list
>>
>> match-request: {
>>
>> path: "/puppet-ca/v1/certificate_revocation_list/ca"
>>
>> type: path
>>
>> method: get
>>
>> }
>>
>> allow-unauthenticated: true
>>
>> sort-order: 500
>>
>> name: "puppetlabs crl"
>>
>> },
>>
>> {
>>
>> # Allow nodes to request a new certificate
>>
>> match-request: {
>>
>> path: "/puppet-ca/v1/certificate_request"
>>
>> type: path
>>
>> method: [get, put]
>>
>> }
>>
>> allow-unauthenticated: true
>>
>> sort-order: 500
>>
>> name: "puppetlabs csr"
>>
>> },
>>
>> {
>>
>> # Allow the CA CLI to access the certificate_status endpoint
>>
>> match-request: {
>>
>> path: "/puppet-ca/v1/certificate_status"
>>
>> type: path
>>
>> method: [get, put, delete]
>>
>>

Re: [Puppet Users] PuppetServer failing after restart

2019-05-09 Thread Justin Stoller 
On Thu, May 9, 2019 at 12:00 PM Zama  wrote:

> HI All ,
>
> I had a working puppetserver. But after yesterday's OS reboot , the
> service is not coming up . Below errors can be seen in log
>
>
> Version are as follows:
>
> rpm -q puppetserver
>
> puppetserver-2.3.1-1.el6.noarch
>
> rpm -q puppet-agent
>
> puppet-agent-5.5.0-2.el6sat.x86_64
>
> $ rpm -q ruby
>
> ruby-1.8.7.374-5.el6.x86_64
>
> Please suggest how to resolve the issue.
>

Puppet Server 2.x needs an agent of the 4.x series on the same node as it.
If you want to upgrade the agent to the 5.x series you need to upgrade your
Puppet Server to the 5.x series as well.


HTH,
Justin

>
> Thanks
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/e2649ed5-68ea-49ac-bfea-452ba3fc4fb8%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqXYEtqh8eToFC3aVCCQ5UjC40LPJOKpxU8cXQt4PzhKWQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Puppet Sever 6 upgrade on Enterprise Linux 7.6 issue

2019-03-05 Thread Justin Stoller 
The CA is one cert, the master and agent share another, so you wouldn't
need to rekey everything, however you can also just whitelist your master
cert in the file described here:
https://puppet.com/docs/puppetserver/6.2/config_file_auth.html

However, Martin's blog posts are excellent, you should probably just follow
what whatever they say, tbh.

 - Justin

On Tue, Mar 5, 2019 at 5:04 AM Martin Alfke  wrote:

> Maybe our blog can shed some light on this:
> https://www.example42.com/2018/10/08/puppet6-ca-upgrading/
>
> On 5. Mar 2019, at 13:49, jmp242  wrote:
>
> So, I don't want to regenerate my CA master certificate, i.e. I don't want
> to manually replace all the CA certificate file on all my clients. If the
> ca generate is for the puppetserver AGENT certificate, i.e. only used on
> one computer, I can do that. But the docs aren't clear to me which it's
> talking about.
>
> On Monday, March 4, 2019 at 4:56:49 PM UTC-5, Justin Stoller wrote:
>>
>> The new ca tool (which is one of the things node clean is calling under
>> the hood) uses the CA's http api in most cases and requires special
>> permissions. By default, the api now only allows access to most certificate
>> endpoints by clients that contain a special cert extension. You can create
>> a cert for "foo" with that extension by running `puppetserver ca generate
>> --ca-client --certname=foo` (note this is one the few commands that
>> requires your server to be offline). If you don't or can't generate a ca
>> client cert you can add an explict certname that you want to be your
>> ca-client to the "allow" blocks in the tk auth.conf.
>>
>> See: https://puppet.com/docs/puppet/6.3/puppet_server_ca_cli.html for
>> more info.
>>
>> On Mon, Mar 4, 2019 at 12:43 PM jmp242  wrote:
>>
>>> I've upgraded from puppetserver 5, and after doing so I've gotten an
>>> error trying to clean a certificate.
>>> Per the "new method", I've tried
>>>
>>> puppet node clean fqdn
>>>
>>> This worked, for this node, before the updated with puppetserver 5.
>>>
>>> However, after the update I now get an error:
>>> puppet node clean fqdn
>>>
>>> WARN: Unresolved specs during Gem::Specification.reset:
>>>   facter (< 4, >= 2.0.1)
>>> WARN: Clearing out unresolved specs.
>>> Please report a bug if this causes problems.
>>> Error: When attempting to revoke certificate 'fqdn', received:
>>> Error:   code: 403
>>> Error:   body: Forbidden request:
>>> /puppet-ca/v1/certificate_status/fqdn (method :put). Please see the server
>>> logs for details.
>>> fqdn
>>>
>>> I'm not able to find anything by google - any ideas?
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Puppet Users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to puppet-users...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/puppet-users/dc6b8ba8-32dd-4ec5-90ff-719673c8498f%40googlegroups.com
>>> <https://groups.google.com/d/msgid/puppet-users/dc6b8ba8-32dd-4ec5-90ff-719673c8498f%40googlegroups.com?utm_medium=email_source=footer>
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/3199dff4-f956-4e80-8f15-9d3a8faccc78%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/3199dff4-f956-4e80-8f15-9d3a8faccc78%40googlegroups.com?utm_medium=email_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/EFD0AD71-9FA1-4C08-8FFA-F625BD160706%40gmail.com
> <https://groups.google.com/d/msgid/puppet-users/EFD0AD71-9FA1-4C08-8FFA-F625BD160706%40gmail.com?utm_medium=email_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqUqv8sU9yrktuf8AqDe5o34MOEd%3D2cGqjK1hud2Ti_CbQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Puppet Sever 6 upgrade on Enterprise Linux 7.6 issue

2019-03-04 Thread Justin Stoller 
The new ca tool (which is one of the things node clean is calling under the
hood) uses the CA's http api in most cases and requires special
permissions. By default, the api now only allows access to most certificate
endpoints by clients that contain a special cert extension. You can create
a cert for "foo" with that extension by running `puppetserver ca generate
--ca-client --certname=foo` (note this is one the few commands that
requires your server to be offline). If you don't or can't generate a ca
client cert you can add an explict certname that you want to be your
ca-client to the "allow" blocks in the tk auth.conf.

See: https://puppet.com/docs/puppet/6.3/puppet_server_ca_cli.html for more
info.

On Mon, Mar 4, 2019 at 12:43 PM jmp242  wrote:

> I've upgraded from puppetserver 5, and after doing so I've gotten an error
> trying to clean a certificate.
> Per the "new method", I've tried
>
> puppet node clean fqdn
>
> This worked, for this node, before the updated with puppetserver 5.
>
> However, after the update I now get an error:
> puppet node clean fqdn
>
> WARN: Unresolved specs during Gem::Specification.reset:
>   facter (< 4, >= 2.0.1)
> WARN: Clearing out unresolved specs.
> Please report a bug if this causes problems.
> Error: When attempting to revoke certificate 'fqdn', received:
> Error:   code: 403
> Error:   body: Forbidden request:
> /puppet-ca/v1/certificate_status/fqdn (method :put). Please see the server
> logs for details.
> fqdn
>
> I'm not able to find anything by google - any ideas?
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/dc6b8ba8-32dd-4ec5-90ff-719673c8498f%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqWVwpu2%3DTBGDmb2Gi54W5EpMMwukBmtSpZ4pLfHP%2BC2jg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Puppetserver 6.0.2 timeouts in the puppetserver log and on the agent side

2019-02-11 Thread Justin Stoller 
On Mon, Feb 11, 2019 at 5:42 AM Mike Sharpton  wrote:

> Hey all,
>
> We have recently upgraded our environment from Puppetserver 4.2.2 to
> Puppetserver 6.0.2.  We are running a mix of Puppet 4 and Puppet 6 agents
> until we can get them all upgraded to 6.  We have around 6000 nodes, and we
> had 4 Puppetservers, but we added two more due to capacity issues with
> Puppet 6.  The load is MUCH higher with Puppet 6.  To the question, I am
> seeing longer and longer agent run times after about two days of the
> services running.  The only error in the logs that seems to have any
> relation to this is this string.
>
> 2019-02-11T04:32:28.409-06:00 ERROR [qtp1148783071-4075] [p.r.core]
> Internal Server Error: java.io.IOException:
> java.util.concurrent.TimeoutException: Idle timeout expired: 30001/3 ms
>
>
> After I restart the puppetserver service, this goes away for about two
> days.  I think Puppetserver is dying a slow death under this load (load
> average of around 5-6).  We are running Puppetserver on vm's that are
> 10X8GB and using 6 Jruby workers per Puppetserver and a 4GB heap.  I have
> not seen any OOM exceptions and the process never crashes.  Has anyone else
> seen anything like this?  I did some Googling and didn't find a ton of
> relevant stuff.  Perhaps we need to upgrade to the latest version to see if
> this helps?  Even more capacity?  Seems silly.  Thanks in advance!
>

Off the top of my head:
1. Have you tried lowering the JRuby workers to JVM heap ratio? (I would
try 1G to 1worker to see if it really is worker performance)
2. That error is most likely from Jetty (it can be tuned with
idle-timeout-milliseconds[1]). Are agent runs failing with a 500 from the
server when that happens? Are clients failing to post their facts or
reports in a timely manner? Is Puppet Server failing its connections to
PuppetDB?
3. Are you managing any other server settings? Having a low
max-requests-per-instance is problematic for newer servers (they more
aggressively compile/optimize the Ruby code the worker loads, so with
shorter lifetimes it does a bunch of work to then throw it a way and start
over - and that can cause much more load).
4. What version of java are you using/do you have any custom tuning of Java
that maybe doesn't work well with newer servers? Server 5+ only has support
for Java 8 and will use more non-heap memory/code cache for those new
optimizations mentioned above.

HTH,
Justin


1.
https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/blob/master/doc/jetty-config.md#idle-timeout-milliseconds


> Mike
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/197c0ad5-83c0-4562-833b-82028f0e3e9c%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqXhSaod%2BkJHx23YpPVd3DMc8gSofvU2D6bbv%3Dt4%3DJKDxQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Puppet 3 and hiera

2019-01-09 Thread Justin Stoller 
On Wed, Jan 9, 2019 at 9:06 AM Peter Berghold 
wrote:

> Hi folks,
>
> I know... I know... get off of Puppet 3.  I'll be getting there soon.
>
> Right now I have Puppet 3 in our production environment where I work.
> Long political story as to why we are still on 3 that I won't get into.   I
> just did a release of the Puppet code and one of the "features" of the
> release is moving all the data out of the code into hiera.
>
> This has been shaken out and tested thoroughly and works fine. So far so
> good.  Superficially at least both the production and lab environments
> match each other in terms of Puppet version OS etc.   Both lab and
> production use RHEL 6.5 (?) and here's where the issue comes in.
>
> Puppet servers (I have a tiered environment, grand master -> manages ->
> remote masters -> manage clients) all seem to be working fine.  On the
> client nodes the Puppet agent terminates with an error:
>
> Error 400 on SERVER: Puppet::Parser::AST::Resource failed with error
> +RuntimeError: Hiera terminus not supported without hiera library at
> +/etc/puppet/environments/Production/manifests/site.pp:24 on node
> +
>
> I did some Googling looking for a solution and I found one mention of the
> need for a "ruby-hiera" package.  This is not installed in our test lab so
> this seems to be a red herring to me but I'm very willing to be wrong.
>

I think that package provides the library that can also be installed via
the hiera gem. You might want to see whether the hiera gem is installed in
Puppet/Puppet Server's gempath in one place vs the other (maybe someone
installed it via gem in the lab?).

>
> The line of code the error is happening on cited above is simple
> hiera_include('classes');
>
> Thoughts anybody?
> --
>
> Peter L. Berghold   salty.cowd...@gmail.com
>
> h ttp://science-fiction.berghold.net
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CAArvnv281q9BHN5eY22MCcS_rtQ4utkmfYffY15b0cRtuUCg_A%40mail.gmail.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqXWRjRag3KkCsGDdVAYuMP73hPa%2BKy4tTyaB6hNszOn-Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] [ANN] R10K 3.1.0 released

2018-12-07 Thread Justin Stoller 
We're happy to announce the R10K 3.1.0 has been released to Rubygems.org.

R10K provides the ability to reference environments acted upon in a
deploy's postrun script. This should help users integrate the creation of
Puppet's type generation into your code deployment. See this FAQ topic[1]
for more details on that workflow.

Many thanks to @raphink for the contribution, along
with @alexjfisher, @bastelfreak, and @binford2k for the reviews.


 - the Puppet Server team


1.
https://github.com/puppetlabs/r10k/blob/3.1.0/doc/faq.mkd#how-can-run-i-puppet-generate-types-for-each-changed-environment-during-deployment

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqW182BdnDC_1uaZ%2BOR6SSr6xNBaGvWuwT3U90J%2B16Jg-g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Issue when trying to sign a certificate

2018-11-26 Thread Justin Stoller 
Hi Jesus,

On Thu, Nov 22, 2018 at 6:44 AM Jesús Oliván 
wrote:

> Hi!
>
> i'm experimenting a weird issue at random times when some clients are
> trying to sign his certificate in their puppet masters. Here's the log
> lines where error is visible:
>
> Info: Creating a new SSL key for pro-front-.xxx
> Info: csr_attributes file loading from
> /etc/puppetlabs/puppet/csr_attributes.yaml
> Info: Creating a new SSL certificate request for pro-front-.xxx
> Info: Certificate Request fingerprint (SHA256):
> 8D:FD:25:92:06:09:D1:38:B0:74:40:28:A6:C3:5C:B4:39:6D:81:EC:97:90:67:6B:45:39:DD:7A:EC:E3:F5:F6
> Error: Could not request certificate: Error 500 on SERVER: Internal Server
> Error: java.lang.NumberFormatException: For input string: ""
>
>
> And this is the output on the same stage of another node that is working
> fine with the same role/config:
>
> Info: Creating a new SSL key for pro-front-.xxx
> Info: csr_attributes file loading from
> /etc/puppetlabs/puppet/csr_attributes.yaml
> Info: Creating a new SSL certificate request for pro-front-.xxx
> Info: Certificate Request fingerprint (SHA256):
> FD:FC:6F:D0:39:3B:78:24:2B:B9:5D:82:6E:E8:58:0B:37:63:AD:89:6F:D9:34:15:E6:D9:42:7F:AB:E5:EF:3BESC[0m
> Info: Caching certificate for pro-front-.xxx
> Info: Caching certificate for pro-frontend-x.xxx
> Info: Using configured environment 'pro'
> Info: Retrieving pluginfacts
> Info: Retrieving plugin
>
> It's happening a few times, but it's annoying because when it occurs is
> while launching several nodes to form a new cluster, so the cluster is
> never formed until this "puppet not signed host" is not signed manually.
> Can anyone give me some light about this, please? Specially, this line in
> the "not working" node is concerning me:
>
> Error: Could not request certificate: Error 500 on SERVER: Internal Server
> Error: java.lang.NumberFormatException: For input string: ""
>

Can you look at the log for the server (on the server at
/var/log/puppetlabs/puppetserver/puppetserver.log) and post that. I would
expect a stacktrace at the time the 500 happened pointing out the culprit
in the code.

The agent might be requesting a certificate with invalid values, or a bug
in Puppet Server. My total wag would be that there's an issue with your
serial file being zeroed out (its just a place, off the top of my head,
where we read in a string and cast it to a number that could flap like
you've described).


 - Justin

>
> Thanks in advance!
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CAKYJm92S6m8-ahS93X6%3DELA_a%3DgBbMxNjdKS%2BVW%2BdAy8QpdtkA%40mail.gmail.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqXSr%3Drk5_7ctgAdpPapZkYZzHfceR0zDGTnRO7_KYzrMQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: puppet master not seeing certificate signing request from agent

2018-10-31 Thread Justin Stoller 
What happens on the agent that is running on the master?

When running any agent here's a flag, `--http_debug` I think, that will
show you exactly what Puppet's requesting.

Seeing the output from curling the CA endpoints from the agent in question
might be helpful (both from curl's side and the master's).
See:
https://puppet.com/docs/puppet/5.5/http_api/http_certificate_request.html
and the related CA endpoints. You should be able to do a GET on
certificate/ca and certificate_revocation_list/ca

The agent's timing out doing something, running with  --trace might help
with that.

On Wed, Oct 31, 2018 at 2:12 PM Matt Zagrabelny  wrote:

>
>
> On Wed, Oct 31, 2018 at 11:23 AM Matt Zagrabelny 
> wrote:
>
>> Greetings,
>>
>> I'm running puppet 5.5.6 (Debian testing).
>>
>> I'm having issues getting the master to see the cert signing request from
>> an agent.
>>
>> The firewall isn't an issue. I see the packets hit an "allow" rule on the
>> master, but I've also turned the firewall off.
>>
>> tcpdump shows the packets reaching the server:
>>
>> 2018-10-31 11:03:19.705234 IP6 2607::2a.46390 > 2607::20.8140: tcp 0
>> 2018-10-31 11:03:35.833194 IP6 2607::2a.46390 > 2607::20.8140: tcp 0
>> 2018-10-31 11:04:08.345204 IP6 2607::2a.46390 > 2607::20.8140: tcp 0
>>
>> 2607::2a = agent
>> 2607::20 = master
>>
>> I'm not seeing anything from the server:
>>
>> # puppet master --no-daemonize
>> Warning: Accessing 'ca' as a setting is deprecated.
>>(location: /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1165:in
>> `issue_deprecation_warning')
>> Warning: The WEBrick Puppet master server is deprecated and will be
>> removed in a future release. Please use Puppet Server instead. See
>> http://links.puppet.com/deprecate-rack-webrick-servers for more
>> information.
>>(location:
>> /usr/lib/ruby/vendor_ruby/puppet/application/master.rb:207:in `main')
>> Notice: Starting Puppet master version 5.5.6
>>
>> Adding --debug or --verbose didn't seem to yield any extra log messages
>> after the "Starting Puppet master..." for when I expected a cert signing
>> request message.
>>
>> and the agent just shows an expiration:
>>
>> # puppet agent -t --server puppet-5-5
>> Warning: Setting cadir is deprecated.
>>(location: /usr/lib/ruby/vendor_ruby/puppet/settings.rb:1169:in
>> `issue_deprecation_warning')
>> Error: Could not request certificate: execution expired
>> Exiting; failed to retrieve certificate and waitforcert is disabled
>>
>> Any ideas where to look next?
>>
>>
>>
> No new updates, but I wanted to add that lsof reports puppet listening:
>
> puppet25053  puppet8u  IPv4 125393  0t0  TCP *:8140
> (LISTEN)
> puppet25053  puppet9u  IPv6 125394  0t0  TCP *:8140
> (LISTEN)
>
> and I'm not seeing anything in the master log file:
>
> [2018-10-31 16:05:35] DEBUG Puppet::Network::HTTP::WEBrickREST is mounted
> on /.
> [2018-10-31 16:05:35] INFO  WEBrick::HTTPServer#start: pid=25053 port=8140
>
> Confused...
>
> -m
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CAOLfK3XYkCM7c3CfB2_CuSGAZ9RFy_4Lk--Xqqc7WEM69z4oTA%40mail.gmail.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqXmxwTfHmbcsnvsjspT34FKxLWoJMOipKATnn86kQa8mA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] puppet.conf ini heading

2018-10-30 Thread Justin Stoller 
On Tue, Oct 30, 2018 at 2:34 PM Matt Zagrabelny  wrote:

> Greetings,
>
> I'm running puppet 5.5.6 (Debian testing.)
>
> I'm seeing some curious and inconsistent results from where I put config
> settings in /etc/puppet/puppet.conf. When I use the [master] heading, the
> "external_nodes" setting is read by the puppet master:
>
> # cat /etc/puppet/puppet.conf
> [master]
> node_terminus  = exec
> external_nodes = /opt/bin/my-enc
> # systemctl restart puppet-master.service
> # puppet config print external_nodes
> none
>
> However, if I remove the "master" section heading in the puppet.conf file,
> I get the results I expect:
>
> # cat /etc/puppet/puppet.conf
> node_terminus  = exec
> external_nodes = /opt/bin/my-enc
> # systemctl restart puppet-master.service
> # puppet config print external_nodes
> /opt/bin/my-enc
>
> Should I file a bug or is this somehow expected?
>

When your master run it uses only certain sections of the config file
(mainly "master" and "main"[1]), while config print will by default use the
section "main". You can use the `--section ` flag to act on a
specific section. If you don't specify a section in the puppet.conf the
setting will be applied to the "main" section.

eg `puppet config print --section master external_nodes` should give you
want you want.

HTH,
Justin

1.
https://github.com/puppetlabs/puppet/blob/5.5.x/lib/puppet/application/master.rb#L274


Thanks!
>
> -m
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CAOLfK3UsJHY%2BpFMXUpM1H4%2BL6FajzPj01x09EqfAcWHnkSqb1Q%40mail.gmail.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqVWin1P6KjyDPwsQ5MyhfaYab9-Wi%3Dtxkf5wij0vYVxFg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Updates to CA command line interaction in Puppet 6

2018-09-27 Thread Justin Stoller 
On Thu, Sep 27, 2018 at 9:12 AM  wrote:

> Hi again,
>
> I also tried to set allow-unauthenticated: true for rule "puppetlabs cert
> status" and that worked.
> Now I was able to sign the csr.
>

Be aware, this is a very dangerous way to solve the problem. This will
allow anyone with http access to your CA to sign certs. Maybe your network
is secure enough that that's okay, but in general folks should only
whitelist the certnames or secure extensions that are allowed to admin a CA.

HTH,
Justin


>
> And sorry, puppetserver ca list now also works.
>
> Yours Henri
>
> Am Donnerstag, 20. September 2018 00:58:06 UTC+2 schrieb Simon Tideswell:
>>
>> Hello
>>
>> I've upgraded a test server from Puppet 5.5 to Puppet 6 and the upgrade
>> was quite seamless.
>>
>> However post upgrade the puppetserver ca command does not work: it yields
>> 403 denied errors. In auth.conf the new Puppet Server has elements like ...
>> allow: {
>>  extensions: {
>>   pp_cli_auth: "true"
>>   }
>> }
>> There's presumably the requirement to recreate the Puppet Server's own
>> certificate with the additional extensions - but this doesn't appear to be
>> documented anywhere? I've worked around this by using a simpler "allow"
>> stanza including the Puppet Server's own certificate and it works, but it'd
>> be nice if the post-upgrade requirement (of re-minting the certificate) was
>> identified in the documentation. I can't say that recreating the
>> certificate with the extension really seems to offer any obvious advantage
>> over just using the server's own certname to be honest?
>>
>> Simon
>>
>> On Wednesday, September 19, 2018 at 2:33:05 AM UTC+10, Maggie Dreyer
>> wrote:
>>>
>>> Hello!
>>>
>>> As you may know, we are about to release Puppet 6. This release contains *a
>>> major update to the command line tools* that are used to interact with
>>> Puppet's CA and certificates. The update makes the commands much faster and
>>> more reliable, removes duplication, and makes the interface easier to
>>> understand. However, this means that *some scripts and workflows will
>>> have to be updated*.
>>>
>>> *What is getting removed:*
>>> * puppet cert
>>> * puppet ca
>>> * puppet certificate
>>> * puppet certificate_request
>>> *puppet certificate_revocation_list
>>>
>>> *What is new:*
>>> * puppetserver ca 
>>> (for CA tasks like signing and revoking certs)
>>> * puppet ssl (for agent-side tasks like submitting a CSR and fetching a
>>> cert, though these steps will still usually be taken care of by an agent
>>> run)
>>>
>>> We have been making updates to beaker and various test suites to account
>>> for this change. If you use Beaker to do any CA or certificate interaction
>>> in your tests, you will need to make some updates to test against Puppet 6:
>>> 1) Update to Beaker 4 and beaker-puppet 1. The latest release of both of
>>> these projects contains updates for these CA changes. Details
>>> 
>>> .
>>> 2) Update any tests or pre-suites that use one of the removed commands
>>> to use the equivalent new command instead. For details, invoke `puppet
>>> cert` in Puppet 6 for help output containing the mapping of old commands to
>>> new alternatives. We will have docs pages up soon with this info.
>>>
>>> *The most recent Puppet 6 builds on puppet nightlies
>>>  have these updates if you would like to
>>> try them out ahead of the release.*
>>>
>>> Please feel free to reach out to us if you have any further questions or
>>> feedback.
>>>
>>> Thanks!
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/9c901fae-18fb-4a76-91ad-b6cd35b761ef%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqVdw4jYWGc6cNKF6Lxk6LmNq%2BjLcH28fn%3DyYvPyA-D-yA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] New CA CLI tools in Puppet Platform 5.5.5

2018-08-24 Thread Justin Stoller 
Thanks for feedback, Gabriel!

On Fri, Aug 24, 2018 at 5:49 AM Gabriel Filion  wrote:

> Hi there,
>
> On 2018-08-23 2:35 p.m., Maggie Dreyer wrote:
> > In the 5.5.5 release of the Puppet Platform, we released a new
> experimental
> > command line tool for interacting with the Puppet CA.
> >
> > puppetserver ca 
> >
> > This tool uses Puppet Server's puppet-ca API to accomplish common CA
> tasks
> > like signing and revoking certificates, instead of the legacy Ruby code
> in
> > Puppet.
>
> I'm curious here since I'm not following the latest releases very
> closely: was there a necessary change to the command-line user interface
> or could it have been possible to "change all of the plumbing" without
> touching the "porcelain on top"?
>
> if no interface change was necessary then the whole "puppetserver cert"
> subcommand could have been replaced with the new code. it would have
> removed yet another config+interface change necessity for users.
>

The deprecation and removal of the "face based" subcommands was necessary.
These are the subcommands "puppet ca", "puppet certificate", "puppet
certificate_request", and "puppet certificate_revocation_list".

That only leaves "puppet cert", and all of the plumbing for the command had
to change. We also believe its porcelain is fundamentally confusing, mixing
actions that should only be taken on a CA with actions that can or should
be taken on an agent. So we made the choice to split the actions that the
"puppet cert" subcommand provides between a dedicated CA tool that ships
with Puppet Server (puppetserver ca) and a dedicated agent tool that ships
with Puppet Agent (incoming work on "puppet ssl").

Our hope is to simplify the mental model that users need to understand
which features work where in a deployment. We also hope for these to be
relatively simple translations. So if you called, "puppet cert sign --all"
in Puppet 5, in Puppet 6 you call "puppetserver ca sign --all" now.

We want to cause as little turbulence for our existing users as possible
and are striving to make any upgrade work easily scriptable. But we also
know that many new (and existing) users have difficulty understanding our
current certificate workflows and that that difficulty impedes many from
following best practices. Ultimately our goal is help users, existing and
new, to get to those best practices as quickly and easily as possible.


Regards,
Justin

>
> > In addition to the existing major features of `puppet cert`, the new tool
> > also provides a command for generating a chained CA for puppet, with a
> > self-signed root cert and an intermediate CA signing cert. It also
> provides
> > a command for importing an existing root and intermediate cert, for users
> > who wish to have Puppet's CA link back to their existing roots.
>
> hey this is nice. it used to be that advanced management of certificates
> and CA was reserved to the x509 wizards!
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/28df81aa-6375-9647-dbbe-52e104923c0d%40lelutin.ca
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqWEa2qG9JY8hk0wxFuyrYaxGYTRjAyHeMUpK6f0%3DuVbcg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] [puppet-users] A note regarding deprecated CA related settings in Puppet 5.5

2018-08-24 Thread Justin Stoller 
Hello!

We recently released a new version of the Puppet Platform that contained
many CA related deprecations and we wanted to reach out and clarify a few
things.

Currently in Puppet 5 there are two(!) mostly identical CA implementations,
which can cause race conditions in signing and revoking, makes the entire
system needlessly complicated, and doubles the cost of fixing any one bug.

In Puppet 6 we plan to remove one of the implementations which will allow
us to address many long standing bugs with our CA functionality. I
encourage you to check out a recent announcement regarding changes to our
CLI workflows[1].

As part of this, most of our CA related settings that currently live in
puppet.conf are *un-used* by anything that ships with the puppet-agent
package. In Puppet 6, the puppet.conf file will contain mostly agent/apply
related settings, while most master and CA related settings will move to
Puppet Server's configuration files. Almost all of these changes should be
mechanical in nature, for example:

Setting autosign in Puppet 5 looks like this:
$ cat /etc/puppetlabs/puppet/puppet.conf
[main]
  autosign = /usr/local/bin/my-autosigner


In Puppet 6 this will look like:
$ cat /etc/puppetlabs/puppetserver/conf.d/ca.conf
certificate-authority: {
  autosign: /usr/local/bin/my-autosigner
}


While we wanted to get the deprecation notices in front of everyone as soon
as possible, the Puppet Server side config changes have yet to land. For
now, just be aware that these changes are coming and expect more from us
soon about potential upgrade paths.


Thank you,
The Puppet Server Team


1. https://groups.google.com/d/msg/puppet-users/ri69kbtuSmQ/vizBEe-7AAAJ

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqUiKk5_V1d1RYGV%3D5yxx8RZNqRTqMFF5FF2uskXYDPXiw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Announce: Puppet Platform 5.5.6 is now available!

2018-08-23 Thread Justin Stoller 
On Thu, Aug 23, 2018 at 1:42 AM Peter Meier  wrote:

> On 08/22/2018 08:42 PM, Molly Waggett wrote:
> > Puppet Platform 5.5.6 is a bug-fix, feature, and deprecations release
> > that includes updates for Puppet 5.5.6, Facter 3.11.4, and Puppet agent
> > 5.5.6. For details, see the Puppet
> > , Facter
> > ,
> > and puppet-agent
> > release
> notes.
>
> So this release deprecates autosign:
>
> Warning: Setting autosign is deprecated.
>(location:
> /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/settings.rb:1169:in
> `issue_deprecation_warning')
>
> But to what should this configuration option now be migrated so there is
> no deprecation warning anymore?
>
> From what I see when scanning through docs and jira, the new options are
> not yet implemented. So we just have to live with the deprecation
> warnings? Or what am I missing?
>
> Hi Peter,

Yeah, we wanted to get the deprecations in sooner rather than later, but
unfortunately the Puppet Server side config work didn't land in time for
this release.

For what it's worth, the transformations from Puppet's puppet.conf settings
to Puppet Server's conf.d should be mechanical (if its still a supported
setting then the same values will be honored; they should simply be
translated from ini to hocon in the Puppet Server's config).

We hope to have another release relatively soon that allows you update the
settings (and resolve the deprecation warnings).

HTH,
Justin



> best
>
> ~pete
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/6872e14d-6379-f592-f68f-d4d2bc031642%40immerda.ch
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqUmqGO9dYbFvzi8R0Us1v%3D1NW%3DVKR7UzFvdaaa656HdWQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] [ANN] Puppet Server 2.7.2 Available

2016-12-06 Thread Justin Stoller 
We’re happy to announce the 2.7.2 release of Puppet Server. This is a
backward compatible bug fix release.


The release contains packaging related fixes:
  * Remove unneeded RPM dependencies, including system ruby <--- Regression
in 2.7.x that precipitated this release
  * Improvements to service files for debian-based systemd users


Release notes with more info can be found here: https://docs.puppet.com/
puppetserver/2.7/release_notes.html


Bug tracking queries relating to this version are:
Issues fixed by SERVER 2.7.2 - https://tickets.puppetlabs.
com/issues/?filter=23707
Issues filed against SERVER 2.7.2 since its release -
https://tickets.puppetlabs.com/issues/?filter=23708


WARNING: If you are upgrading to version 2.7.2 from a version earlier than
2.5.0 and you have modified the "bootstrap.cfg"  file, please read this
document before proceeding with the upgrade: https://docs.puppet.com/puppet
server/2.5/bootstrap_upgrade_notes.html



<3
the Puppet Server Team

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqVrYcfK2PNyBUFopHG_mRJ0ONKp17ax9zm086-953G0xQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Problems with new PE 2016.4 install

2016-11-03 Thread Justin Stoller 
On Thu, Nov 3, 2016 at 2:52 AM, Jonathan Gazeley <
jonathan.gaze...@bristol.ac.uk> wrote:

> Hi folks,
>
> I've been running open-source Puppet 3.x for years but this week I'm
> dabbling with a new installation of PE 2016.4. I installed from the
> pointy-clicky installer and so far the PE server only has itself in the
> inventory, but is failing to do a puppet run. It bails with this error:
>
> Could not retrieve catalog from remote server: Error 500 on SERVER: Server
> Error: Evaluation Error: Error while evaluating a Resource Statement,
> Evaluation Error: Error while evaluating a Method call, 'dig' parameter
> 'data' expects a Collection value, got String at
> /opt/puppetlabs/puppet/modules/puppet_enterprise/manifests/master/puppetserver.pp:673:42
> on node puppet4-prod.resnet.bris.ac.uk
>
> I think that manifest is something that came with PE and not something
> I've installed, so I've no idea where to start. Any ideas?
>

Looking at that line in the puppet configuration it seems that we're
digging into the mountpoints:

$tmp_mount_options = $::mountpoints.dig( '/tmp', 'options' )


Dig expects to be called on a collection[1], and reading the error I would
assume that the fact `mountpoints` is returning a string or that the "/tmp"
key within the fact is returning a string. Which is not how Facter should
be behaving[2].

Have you changed anything relating to Facter or its configuration?


 - Justin


1. https://docs.puppet.com/puppet/4.8/reference/function.html#dig
2. https://docs.puppet.com/facter/latest/core_facts.html#mountpoints

>
> Thanks,
> Jonathan
>
> --
> Jonathan Gazeley
> Senior Systems Administrator
> IT Services
> University of Bristol
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/ms
> gid/puppet-users/a6b299e2-7ff0-edaa-6f38-4747bb64d758%40bristol.ac.uk.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqU%3D1rQq%2Bws%3DjpybcxJWWfeKsu-WKJXx%2BSpnr_ebhuCE2Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: beaker gem vs rspec spec/acceptance ?

2016-02-16 Thread Justin Stoller 
On Tue, Feb 16, 2016 at 11:00 AM, Brett Swift  wrote:

> It's the spec_prep that is failing,  so even bundle exec spec won't work.
>

Just an FYI: the spec* rake tasks are controlling and setting up lower
level unit tests using "rspec-puppet"[1] while the task to run acceptance
tests with beaker-rspec is called `rake beaker`. Try a `bundle exec rake
-T` to see a list of valid commands and a brief description about them.

1. www.rspec-puppet.com

>
>
>  $bundle exec rake spec
> Notice: Preparing to install into /Users/bswift/src/live_modules/
> shaw_firewall/spec/fixtures/modules ...
> Notice: Downloading from https://forgeapi.puppetlabs.com ...
> Notice: Installing -- do not interrupt ...
> Error: Operation not permitted @ chown_internal - /Users/bswift/.
> puppetlabs/opt/puppet/cache/puppet-module/cache/puppetlabs-
> firewall20160216-34040-1efvb4v
>

>From the stacktrace it looks like you've got a permissions issue. I would
suggest pointing rspec-puppet questions towards the general puppet-users
list however.



>
> Error: Try 'puppet help module install' for usage
> rake aborted!
> Failed to install module puppetlabs/firewall to spec/fixtures/modules/
> firewall
> /Users/bswift/src/live_modules/shaw_firewall/.bundle/ruby/2.1.0/gems/
> puppetlabs_spec_helper-1.0.1/lib/puppetlabs_spec_helper/rake_tasks.rb:157:
> in `block (2 levels) in '
> /Users/bswift/src/live_modules/shaw_firewall/.bundle/ruby/2.1.0/gems/puppetlabs_spec_helper-1.0.1/lib/puppetlabs_spec_helper/rake_tasks.rb:139:in
> `each'
> /Users/bswift/src/live_modules/shaw_firewall/.bundle/ruby/2.1.0/gems/puppetlabs_spec_helper-1.0.1/lib/puppetlabs_spec_helper/rake_tasks.rb:139:in
> `block in '
> Tasks: TOP => beaker => spec_prep
>
>
> Gemfile:
>
>
> source 'https://rubygems.org'
>
>
> if puppetversion = ENV['PUPPET_GEM_VERSION']
> gem 'puppet', puppetversion, :require => false
> else
> gem 'puppet', :require => false
> end
>
>
> group  :development, :test do
>   gem 'rake',:require => false
>   gem 'puppet-lint', '1.0.1',:require => false
>   gem 'rspec-puppet',:require => false  # :git => '
> https://github.com/rodjek/rspec-puppet.git', --> used to need this?
>   gem 'puppet-syntax',   :require => false
>   gem 'puppetlabs_spec_helper',  :require => false
>   gem 'mocha',   :require => false #  '1.0',  1.1 causes
> problems.Removing this dependency releases mocha to 1.1, which can happen
> eventually
>   gem 'beaker',  :require => false
>   gem 'beaker-rspec',:require => false
>   gem 'vagrant-wrapper', :require => false
>   gem 'guard-rake',  :require => false
>   gem 'growl',   :require => false
>
>
>   gem 'beaker-puppet_install_helper',  :require => false
>   gem 'master_manipulator',:require => false
>   gem 'serverspec',:require => false
>
>
> end
>
>
> The above error was when retrieving module dependencies as listed in your
.fixtures.yml


Per comment above, moving to puppet-users@.


HTH,
Justin


>
>
>> --
> You received this message because you are subscribed to the Google Groups
> "puppet beaker" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-beaker+unsubscr...@googlegroups.com.
> To post to this group, send email to puppet-bea...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-beaker/920e20b7-8e39-45c6-ad5c-1124e9362ad5%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqVC9taNpCcTSgMzqgwebiBtWswW4rF08pof%2B7T5ujW_DA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Beaker and mock services

2015-10-20 Thread Justin Stoller 
On Tue, Oct 20, 2015 at 12:49 AM, Alex Harvey  wrote:

> Hi all,
>
> I am investigating whether or not I can use Beaker to do acceptance
> testing on roles and profiles.
>
> I've had a look at Liam Bennett's excellent blog posts -
>
> http://tech.opentable.co.uk/blog/2014/09/01/testing-puppet-with-beaker-pt-dot-3-testing-roles/
> http://www.slideshare.net/liamjbennett/cfgmgmt2015-testing-with-beaker
>
> I need to handle a situation in my tests where, say, a role that I am
> testing will apply a base class which will cause the node, for instance, to
> join a FreeIPA domain.  But I don't want Beaker to actually build a FreeIPA
> box.  And I don't want my short-lived node to join a real FreeIPA domain.
>
> I would hope that Beaker could either build Mock Services
> https://en.wikipedia.org/wiki/Mock_object
>
> Or better still, tell Beaker to expect the base class to try to apply the
> FreeIPA class, and just pretend it succeeds.  Just as you can stub out
> methods in rspec etc.
>
> Has anyone done anything like this before?
>

Have you looked into rspec-puppet (http://rspec-puppet.com/)? It should let
you do things like apply a class to a node (the role class) and then
inspect the catalog generated to see if it includes the base class in
question, without having to spin up a new machine (as long as you correctly
stub your facts) or worry about a machine actually connecting to a FreeIPA
domain.

After you have a strong base of rspec-puppet tests I would use Beaker to
ensure that the roles can *actually* spin up a FreeIPA box and join a
similarly spun up domain, in a way that can *relatively* quickly smoke test
small changes at a time before pushing them to a staging environment.


HTH,
Justin


> Kind regards,
> Alex Harvey
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/5493914c-ecc9-42e4-ad90-4151e0e75fbc%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqVP49Az08FLYJoFo2SSgs4esXa2TQvAmaYPjwBUO8Kb6A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] beaker ec2 example, should this work?

2014-10-06 Thread Justin Stoller 
On Mon, Oct 6, 2014 at 6:44 PM, Ken Barber k...@puppetlabs.com wrote:

  I was just testing the host config file from puppetdb coupled with the
 documentation on the beaker documentation.

 Those docs honestly look old, they are still mentioning blimpy which I
 effectively deprecated/superseded with the aws_sdk driver.

  I was actually going to omit the error message.  That's actually all of
 it except for the json output of the compiled beaker configs.   I can send
 the full output  in the morning.

 Send the full output and the configuration and I can take a closer
 look. Anything less, I'll probably struggle.


You should also include a redacted version of your ~/.fog



  It looks like the Google Compute Engine docs  are more complete...  It
 doesn't matter where it runs. Mostly looking for a free tier cloud to get
 started with.   I'm not sure aws micro would even be big enough anyways.
 But it'd be cool to get it working.

 Sure, well we use EC2 heavily so I'm happy to help you there, I know
 some people use Google Compute Engine also, but I have no intimate
 knowledge of how this one works.

 ken.

 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to puppet-users+unsubscr...@googlegroups.com.
 To view this discussion on the web visit
 https://groups.google.com/d/msgid/puppet-users/CAE4bNTng8oLjKCaVS6RV%2BjBSHqWAgYSatP69fpxcNWF1Upmz%2BA%40mail.gmail.com
 .
 For more options, visit https://groups.google.com/d/optout.


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqW3s608U-VhyhVnFnJ3CaqEZ7dcwbYvvJ-jg3iaCXEPOQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] installing PE 3.1 on OpenSuse 13.1 x64

2014-01-08 Thread Justin Stoller 
On Wed, Jan 8, 2014 at 12:21 PM, expouser churi...@gmail.com wrote:


 Hi All,
 Does anyone know how to install PE (3.1 latest) on OpenSuse  (13.1 x64)
 Linux.


Unfortunately, you can't as it's not a supported platform (SLES is though!)


 I'm getting:
 !! ERROR: Unknown platform

 
 trying to run
 #  /puppet-enterprise-3.1.1-all/puppet-enterprise-installer

  # cat /etc/issue
 Welcome to openSUSE 13.1 Bottle - Kernel \r (\l).

  uname -a
 Linux puppetmaster 3.11.6-4-default #1 SMP Wed Oct 30 18:04:56 UTC 2013
 (e6d4a27) x86_64 x86_64 x86_64 GNU/Linux

 Please advice.

 Thank you.


 Regards,

 Kirils.


  --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to puppet-users+unsubscr...@googlegroups.com.
 To view this discussion on the web visit
 https://groups.google.com/d/msgid/puppet-users/c1cdc9fb-b9fc-46a8-ae1d-2d30936de2b0%40googlegroups.com
 .
 For more options, visit https://groups.google.com/groups/opt_out.


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqWA-0GdAhJ0UW4jVcbizR37bRQKfx12r3sjBv5x8j3Bqg%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] node_aws issue: undefined method

2014-01-02 Thread Justin Stoller 
On Thu, Jan 2, 2014 at 1:23 PM, Colin Cullinan cculli...@gmail.com wrote:

 Hello,

 I am attempting to manage EC2 instances using Puppet's node_aws but
 everytime I run

 *~$ sudo puppet node_aws list*


 I get the following response

 *Error: undefined method `reject' for #Symbol:0x0001c1df0e*
 *Error: Try 'puppet help node_aws list' for usage*


 I have installed Puppet Enterprise Master 3.3.1 on an AWS EC2 Ubuntu 12.04
 x64 instance in the ap-southeast-2 region (following the instructions in
 the first video 
 herehttp://puppetlabs.com/blog/install-puppet-enterprise-ec2-our-new-guide 
 to
 produce an installation answer 
 filehttps://github.com/elcollie/publicscripts/blob/master/puppet.master.answer
 )
 I have also installed Ruby 2.0.0p353, Gem version: 2.1.11 and run the
 Cloud Provisioner install as outlined 
 herehttps://forge-staging-web.puppetlabs.com/puppetlabs/cloud_provisioner/1.0.4
 .

 You should follow the installation guide here as cloud provisioner comes
with PE:
http://docs.puppetlabs.com/pe/latest/cloudprovisioner_configuring.html

It seems you have CP installed as a module with a system wide ruby  gems
and then it is being used as a plugin by puppet (which has its own ruby). I
would try blowing away your CP install and then running the PE installer
and selecting the Install Cloud Provisioner option.

HTH,
Justin


 I also configured my ~/.fog file

 *:default:*
 * :aws_access_key_id:MYKEY*
 * :aws_secret_access_key:MYSECRETKEY*


 I successfully ran *sudo puppet agent -t* on the server to have its agent
 check and appear in the console.

 Any help would be greatly appreciated.

 Col

 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to puppet-users+unsubscr...@googlegroups.com.
 To view this discussion on the web visit
 https://groups.google.com/d/msgid/puppet-users/f5ef9764-a003-433f-b037-79d1d82442cb%40googlegroups.com
 .
 For more options, visit https://groups.google.com/groups/opt_out.


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CA%2B%3DBEqU-zrdEd3pBKU1Ok6cYvCTvR8Tj4F835UdEGZVgCkLgRQ%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Howto install current Version on SLES

2013-10-17 Thread Justin Stoller 
SUSE Linux Enterprise 11 is a supported PE platform. You can download a
demo for it here: http://info.puppetlabs.com/download (good up to 10 nodes)
Puppet Enterprise contains an installer that will guide you through setting
up Puppet, Facter, MCollective and the Enterprise Console. For more info
you can get started here:
http://docs.puppetlabs.com/pe/latest/install_basic.html

HTH,
Justin


On Thu, Oct 17, 2013 at 9:15 AM, Michael Wörz michael.wo...@gmail.comwrote:

 Hello,

 just started with puppet. But the version shipped with Suse Linux
 Enterprise ist very old and i did not manage to install modules from puppet
 forge.
 So i tryed download some packets from buildservice which seemed to work
 doing basic things, But installed modules from puppet forge caused errors.
 So im not shure if i'm just doing wrong or if there are depedency problems.

 Is there a way to setup a relyable and somehow current
 puppet/factor/mcollevtive on SLES11.2? any Documentation?

 Thanks,


  --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to puppet-users+unsubscr...@googlegroups.com.
 To post to this group, send email to puppet-users@googlegroups.com.
 Visit this group at http://groups.google.com/group/puppet-users.
 For more options, visit https://groups.google.com/groups/opt_out.


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Attention!!! Puppet pe-activemq not Starting

2013-07-18 Thread Justin Stoller 
On Thu, Jul 18, 2013 at 12:44 AM, Ripunjay Godhani ripunj...@gmail.comwrote:



 getting error change from stopped to running failed: Could not start
 Service[pe-activemq]: Execution of '/sbin/service pe-activemq start'
 returned 1: at
 /opt/puppet/share/puppet/modules/pe_mcollective/manifests/activemq.pp:25

 also while doing

 how to start  pe-activemq

 You may have better luck on the pe-users list.

What is the output (to stdout, stderr, or a log file in
/var/log/pe-activemq/*.log) when you run `/sbin/service pe-activemq start`?

 - Justin


 Regards,
 Ripunjay

 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to puppet-users+unsubscr...@googlegroups.com.
 To post to this group, send email to puppet-users@googlegroups.com.
 Visit this group at http://groups.google.com/group/puppet-users.
 For more options, visit https://groups.google.com/groups/opt_out.






-- 

Join ME at PuppetConf 2013, August 22-23 in San Francisco -
http://bit.ly/pupconf13
It's the FINAL COUNTDOWN!! http://youtu.be/OHWiN_vFtdY
http://bit.ly/pupconf13

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Re: Unable to use Cloud Provisioner

2013-07-17 Thread Justin Stoller 
On Wed, Jul 17, 2013 at 4:23 PM, shivaraj mathrubai
me.shiva...@gmail.comwrote:

 I'm using CentOS


 On Thursday, 18 July 2013 00:21:52 UTC+1, shivaraj mathrubai wrote:


 Hi Guys,

 I'm unable to load the module cloud provisioner, when I try to run
 node_aws it gives me the below errors:

 Error: Could not autoload puppet/face/node_aws/list_**keynames: no such
 file to load -- guid
 Error: Could not parse application options: Could not autoload
 puppet/face/node_aws/list_**keynames: no such file to load -- guid

 Hrm, it looks like it can't find a dependency...  Can you `yum install
rubygem-guid` ?


 And when I see the help list I can see the below message:

 ! node! Subcommand unavailable due to error. Check error logs.
   ! node_aws! Subcommand unavailable due to error. Check error
 logs.

 I'm using Puppet 3.2.3 and Ruby 1.9.2

 Any hint to fix this ?

 Thanks in advance !




  --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to puppet-users+unsubscr...@googlegroups.com.
 To post to this group, send email to puppet-users@googlegroups.com.
 Visit this group at http://groups.google.com/group/puppet-users.
 For more options, visit https://groups.google.com/groups/opt_out.






-- 

Join us at PuppetConf 2013, August 22-23 in San Francisco -
http://bit.ly/pupconf13

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] get some issues using rake command with puppet enterprise VM

2013-07-10 Thread Justin Stoller 
On Wed, Jul 10, 2013 at 2:15 AM, Wen Andes ylyy1...@gmail.com wrote:

 Hi, all,

 I use puppet enterprise VM (pe 3.0) with dashboard (version 2.0 built-in)
 to set up my very simple env. but in the master node, when I want to check
 the 'rake' API, I failed with '-bash: rake: command not found'. And I also
 see that the 'gem' command failed. but in fact rubygem is installed (I
 guess so.and check with rpm -q -a |grep ruby  to see something as
 follows:)

 ruby-libs-1.8.5-19.el5_6.1
 pe-ruby-mysql-2.7.3-7.pe.el5
 pe-rubygems-1.5.3-1.pe.el5
 pe-rubygem-rack-1.1.3-1.pe.el5
 pe-rubygem-dalli-1.1.2-0.1.pe.el5
 pe-rubygem-builder-3.0.0-1.pe.el5
 pe-rubygem-mime-types-1.16-1.pe.el5
 pe-rubygem-nokogiri-1.5.0-3.pe.el5
 pe-rubygem-trollop-1.16.2-1.pe.el5
 pe-rubygem-hiera-puppet-0.3.0-1.pe.el5
 ruby-1.8.5-19.el5_6.1
 pe-ruby-libs-1.8.7.370-1.pe.el5
 pe-ruby-rdoc-1.8.7.370-1.pe.el5
 pe-rubygem-stomp-1.1.9-3.pe.el5
 pe-rubygem-ar-extensions-0.9.5-2.pe.el5
 pe-rubygem-tilt-1.3.3-0.2.pe.el5
 pe-rubygem-activerecord-2.3.14-2.pe.el5
 pe-rubygem-excon-0.14.1-1.pe.el5
 pe-rubygem-guid-0.1.1-1.pe.el5
 pe-rubygem-multi-json-1.0.3-1.pe.el5
 pe-rubygem-net-scp-1.0.4-1.pe.el5
 pe-rubygem-rbvmomi-1.3.0-1.pe.el5
 pe-rubygem-fog-1.5.0-1.pe.el5
 pe-ruby-shadow-1.4.1-8.pe.el5
 pe-rubygem-hiera-0.3.0-333.pe.el5
 pe-ruby-augeas-0.4.1-1.pe.el5
 pe-ruby-ri-1.8.7.370-1.pe.el5
 pe-rubygem-json-1.7.5-1.pe.el5
 pe-ruby-1.8.7.370-1.pe.el5
 pe-ruby-irb-1.8.7.370-1.pe.el5
 pe-rubygem-rake-0.8.7-3.pe.el5
 pe-rubygem-sinatra-1.2.6-0.2.pe.el5
 pe-rubygem-activesupport-2.3.14-1.pe.el5
 pe-rubygem-formatador-0.2.0-1.pe.el5
 pe-rubygem-net-ssh-2.1.4-1.pe.el5
 pe-rubygem-ruby-hmac-0.4.0-1.pe.el5
 pe-ruby-ldap-0.9.8-5.pe.el5
 pe-rubygem-stomp-doc-1.1.9-3.pe.el5

 so, howI set up a complete env to get the 'rake' work ?
 \
 thanks in advanced


Rake and Gem are not added to the path automatically. You can find them in
/opt/puppet/bin if you need them however.

HTH,
Justin

  --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to puppet-users+unsubscr...@googlegroups.com.
 To post to this group, send email to puppet-users@googlegroups.com.
 Visit this group at http://groups.google.com/group/puppet-users.
 For more options, visit https://groups.google.com/groups/opt_out.






-- 

Join us at PuppetConf 2013, August 22-23 in San Francisco -
http://bit.ly/pupconf13

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Is it possible to pass extra flags to Puppet via rspec?`

2013-06-26 Thread Justin Stoller 
It's been a while since I jumped into this code and it's late, forgive me
if I say something naive inline.


On Wed, Jun 26, 2013 at 8:14 PM, Nan Liu nan@gmail.com wrote:

 On Wed, Jun 26, 2013 at 7:23 PM, Amos Shapira amos.shap...@gmail.comwrote:

 I'm writing my first puppet function rspec test and am having a problem
 which I don't see how to solve.

 The function (and the test) involve access to files through the File
 Server. In order for the function (and the test) to work I need to pass
 --fileserverconf=fileserver.conf parameter to Puppet.

 So far I haven't found a way to do that.

 If I understand the rspec-puppet source at
 https://github.com/rodjek/rspec-puppet/blob/master/lib/rspec-puppet.rbcorrectly
  then the list of parameters I can pass is limited to the ones
 mentioned in lines 16-22. Am I right?


Those are the limit you can pass to the RSpec.configure { ... } block in
your spec helper.


 Does anyone know how can I pass other parameters, or otherwise affect
 Puppet's configuration to set this value?

 Have you tried something like:

describe 'foo' do
before do
Puppet[:fileserverconfig] = '/my/path/to/fileserver.conf'
end

your tests

end


 Oddly enough, you can't depend on rspec-puppet to configure the settings
 for spec test. For example, puppetlab's spec helper configures the
 modulepath [1] to include spec/fixtures/modules, but this does not seem to
 configure Puppet[:modulepath] setting. For whatever reason, puppet loads
 the modules correctly from spec/fixtures/modules, but when you debug the
 spec test, it appears to set the module path to:

 (rdb:1) p Puppet[:modulepath]
 /dev/null/modules:/usr/share/puppet/modules


Nan -

In puppetlabs_spec_helper/puppet_spec_helper[1] which was based on a file
in Puppet[2] the confdir and vardir are explicitly set to '/dev/null' which
causes the modulepath you're seeing in Puppet proper.

I believe, however the subject catalog/function that is tested in each
example group (unless you explicitly create a subject yourself) should mask
that value with what ever is passed into RSpec.configure (like the
modulepath setting in module_spec_helper) for its
compilation/initialization[3][4].


 - Justin

1.
https://github.com/puppetlabs/puppetlabs_spec_helper/blob/master/lib/puppetlabs_spec_helper/puppet_spec_helper.rb#L96-L97
2.
https://github.com/puppetlabs/puppet/blob/master/lib/puppet/test/test_helper.rb#L142-L156
3.
https://github.com/rodjek/rspec-puppet/blob/master/lib/rspec-puppet/example/function_example_group.rb#L10
4.
https://github.com/rodjek/rspec-puppet/blob/master/lib/rspec-puppet/support.rb#L80-L97


 You can do what Wolf suggested. File server conf is somewhat inconsistent,
 since the setting is actually: Puppet[:fileserverconfig].

 HTH,

 Nan


 1.
 https://github.com/puppetlabs/puppetlabs_spec_helper/blob/master/lib/puppetlabs_spec_helper/module_spec_helper.rb#L21-L24


 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to puppet-users+unsubscr...@googlegroups.com.
 To post to this group, send email to puppet-users@googlegroups.com.
 Visit this group at http://groups.google.com/group/puppet-users.
 For more options, visit https://groups.google.com/groups/opt_out.






-- 

Join us at PuppetConf 2013, August 22-23 in San Francisco -
http://bit.ly/pupconf13

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Puppet and VMWare - A potentially stooopid question

2013-06-20 Thread Justin Stoller 
On Thu, Jun 20, 2013 at 2:39 PM, Dan White y...@comcast.net wrote:

 But I'd rather be certain of the answer than guess or try it and go down
 in flames:

 The question:  Can one integrate VMWare with Open Source Puppet ?  Or is
 this a Puppet-Enterprise-only thing ?


You can integrate anything you'd like with OSS :) We have a PL supported
Enterprise-only extension to Cloud Provisioner to integrate with VMWare,
but it uses the open Face API[1]. There's also a number of open source
modules to stand up and manage VMWare products on the Forge and Github.[2]
How do you want to integrate Puppet w/ VMWare?


 - Justin

1. http://docs.puppetlabs.com/pe/latest/cloudprovisioner_vmware.html
2. https://forge.puppetlabs.com/modules?utf-8=%E2%9C%93q=vmware


 “Sometimes I think the surest sign that intelligent life exists elsewhere
 in the universe is that none of it has tried to contact us.”
 Bill Waterson (Calvin  Hobbes)

  --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to puppet-users+unsubscr...@googlegroups.com.
 To post to this group, send email to puppet-users@googlegroups.com.
 Visit this group at http://groups.google.com/group/puppet-users.
 For more options, visit https://groups.google.com/groups/opt_out.






-- 

Join us at PuppetConf 2013, August 22-23 in San Francisco -
http://bit.ly/pupconf13

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Re: [Puppet-dev] Managing System Reboots

2013-04-18 Thread Justin Stoller 
On Thu, Apr 18, 2013 at 1:09 PM, Erik Dalén erik.gustav.da...@gmail.comwrote:

 Would the reboot_pending fact return true on Unix after a newer kernel
 version has been installed but the system isn't rebooted yet?


If I understand the armature correctly the fact example is simply something
that could be implemented at any time, but would be a helpful next step
with mco's puppetral if we implement the reboot resource as described, the
implementation of that fact seemed out of the scope of that armature.

Does that seem correct?

 - Justin



 On 18 April 2013 19:57, Josh Cooper j...@puppetlabs.com wrote:

 I've submitted a proposal for managing reboots, for Windows in
 particular. Please review the document[1] and make comments on the
 associated pull request[2].

 For more information about the armature process itself, please see[3]

 Josh

 [1]
 https://github.com/joshcooper/armatures/blob/reboot/arm-14.reboot/index.md
 [2] https://github.com/puppetlabs/armatures/pull/30
 [3] https://github.com/joshcooper/armatures/blob/master/arm-0.arm/arm.md

 --
 Josh Cooper
 Developer, Puppet Labs

 Join us at PuppetConf 2013, August 22-23 in San Francisco -
 http://bit.ly/pupconf13
 The first 150 tickets sold will be available at a 35% discount - register
 now! Offer expires April 22.

 --
 You received this message because you are subscribed to the Google Groups
 Puppet Developers group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to puppet-dev+unsubscr...@googlegroups.com.
 To post to this group, send email to puppet-...@googlegroups.com.
 Visit this group at http://groups.google.com/group/puppet-dev?hl=en.
 For more options, visit https://groups.google.com/groups/opt_out.






 --
 Erik Dalén

 --
 You received this message because you are subscribed to the Google Groups
 Puppet Developers group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to puppet-dev+unsubscr...@googlegroups.com.
 To post to this group, send email to puppet-...@googlegroups.com.
 Visit this group at http://groups.google.com/group/puppet-dev?hl=en.
 For more options, visit https://groups.google.com/groups/opt_out.




-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Re: Using onlyif for Windows exec

2013-04-16 Thread Justin Stoller 
On Tue, Apr 16, 2013 at 1:29 PM, Gary Park gep...@gmail.com wrote:

 Hello,

 Thanks for getting back to me.

 I think I forgot to mention, I am using this:

 http://forge.puppetlabs.com/joshcooper/powershell

 Does this change how the onlyif parameter interprets what it is provided?


yes it should. the onlyif and unless parameters should be interpreted the
same was the command parameter.


 Thanks

 Gary

 On Tuesday, April 16, 2013 3:54:19 PM UTC+1, jcbollinger wrote:



 On Monday, April 15, 2013 9:14:21 AM UTC-5, Gary Park wrote:

 Hello,

 I am in the process of trying out Puppet, and so far, it is going
 really well, and I can see a clear line of how we can use it internally.

 I do have one question though with regard to the using the onlyif
 parameter of the exec command (as per here http://docs.puppetlabs.**
 com/references/latest/type.**html#exechttp://docs.puppetlabs.com/references/latest/type.html#exec
 ).

 Ideally, what I would like to do is to only run a PowerShell exec
 command, if a web page doesn't currently exist on the server (i.e. the
 PowerShell script is responsible for deploying the Web Pages (into
 SharePoint in this case) and I only want to run this step, if these pages
 don't already exist.  To that end, I have done something like this:

 onlyif = '$webRequest = [System.Net.WebRequest]::**Create(
 http://some-url.test.**aspx http://some-url.test.aspx); $webRequest.*
 *UseDefaultCredentials = $true; try { 
 if([int]$webRequest.**GetResponse().StatusCode
 -eq 200) { exit 0; } else { exit 1; } } catch [System.Net.WebException] {
 exit 1; }'

 Which, at the command line, has the correct result.  However, when I try
 to run this, I get an error saying that $webRequest is not recognised.



 Puppet invokes the specified command directly, not via the [standard |
 Power] shell, so whether that works at the (some) command line is
 irrelevant.




 Which leads me to think that using variables within the onlyif is not
 supported.  Is that correct?  If so, what is the best approach for doing
 this, or am I going up the wrong path?



 No, that's not correct.  I suppose you expect '$webRequest' to be
 meaningful to (and the whole command sequence to be executed by)
 PowerShell, but you haven't told Puppet to run it via PowerShell.  Instead,
 you've told Puppet to execute a command named literally '$webRequest'.
 Refer to the docs on the Exec type's windows provider for information and
 examples of how to make this sort of thing work: docs.puppetlabs.com/**
 references/3.1.latest/type.**html#exechttp://docs.puppetlabs.com/references/3.1.latest/type.html#exec.
   What they say about the 'command' parameter applies equally to 'onlyif'.


 John

  --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to puppet-users+unsubscr...@googlegroups.com.
 To post to this group, send email to puppet-users@googlegroups.com.
 Visit this group at http://groups.google.com/group/puppet-users?hl=en.
 For more options, visit https://groups.google.com/groups/opt_out.




-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] External Facts on Windows with Powershell

2013-04-10 Thread Justin Stoller 
This only works in Facter 1.7, what do you get when you run `facter
--version`?

Have you double checked
http://docs.puppetlabs.com/guides/custom_facts.html#enabling-powershell-scriptsto
ensure that the powershell scripts are enabled?

 - Justin



On Tue, Apr 9, 2013 at 8:44 AM, Grant Trevor grant.tre...@gmail.com wrote:

 I'm trying to follow the steps on
 http://docs.puppetlabs.com/guides/custom_facts.html in regards to
 declaring External Facts using powershell.

 I've created a simple .ps1 file outputing a single key pair eg: Write-Host
 mykey=123456, however if I run Facter from the Command Prompt(with
 puppet) my value isn't present.

 Also if I run 'puppet apply MyModule.pp --verbose'  I don't receive any
 information about it attempting to load facts.

 I've also tried a simple txt file with no luck.

 I'm using Puppet 2.7.17 installed via chocolatey, could this be a
 configuration issue, do I need to enable External Task parsing?

 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to puppet-users+unsubscr...@googlegroups.com.
 To post to this group, send email to puppet-users@googlegroups.com.
 Visit this group at http://groups.google.com/group/puppet-users?hl=en.
 For more options, visit https://groups.google.com/groups/opt_out.




-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Windows Features/Roles vs. DISM

2013-04-07 Thread Justin Stoller 
On Sun, Apr 7, 2013 at 4:16 PM, Joaquin Menchaca joaquin...@gmail.comwrote:

 I was wondering what experiences (or how to get started) with configuring
 features and roles (some of which may require reboot) on Windows 2008R2
 (and other versions) that others might have had.

 Manually, I have experimented with DISM and ServerManagerCmd.exe on
 Win2k8r2.  I found DISM to be quite dismal as it doesn't do any dependency
 resolution, so it can install partial orphaned components, and it's
 multi-line record format is hard to parse.  I found out that
 ServerManagerCmd supports the full dependencies, such that if you install a
 component in the hierarchy, it will install all the prereqs.  Also, if
 there are any cross dependencies, it will resolve those as well, and
 install everything that you would install from the GUI.  And when you print
 out what is installed, it presents it in a checklist tree format that
 matches the GUI and behavior of Windows.

 A good scenario is to install ASP.NET, which will require IIS7, and have
 some requirements of features in other areas.

 What I would like to have ideally is to have this behavior supported
 somehow, which would be ala RPM-like on Windows.  Any thoughts or
 experiences?


I don't have a ton of experience in this realm but you may want to checkout
the DISM type that Nan wrote[1], it looks like there's a few issues filed
against it (like you said DISM can be a pain), but I know he was using it
to set up vSphere[2] (which might be a good example if you want to look at
puppetizing a full windows server stack).

As far as an RPM-like service for windows I don't know of one. Though
Chocolatey, more like homebrew on OSX, and it's provider[3] is what I use
whenever I can. They seem to have a recipe for installing ASP.NET[4] (but I
haven't tried it). Josh is also working on a reboot type which you may want
to give a try[5].

Sorry I don't have more best practices to offer, though hopefully those
tools can help you out.


 - Justin

1. http://forge.puppetlabs.com/puppetlabs/dism
2. https://forge.puppetlabs.com/puppetlabs/vcenter
3. https://github.com/rismoney/puppet-chocolatey
4. http://chocolatey.org/packages?q=asp
5. https://github.com/joshcooper/puppetlabs-reboot/

  --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to puppet-users+unsubscr...@googlegroups.com.
 To post to this group, send email to puppet-users@googlegroups.com.
 Visit this group at http://groups.google.com/group/puppet-users?hl=en.
 For more options, visit https://groups.google.com/groups/opt_out.




-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Windows Firewall Question

2013-02-14 Thread Justin Stoller 
On Thu, Feb 14, 2013 at 7:29 AM, jim stra...@gmail.com wrote:

 Hello all,

 I'm currently running 2.7.19 (Puppet Enterprise 2.7.0)

 I want to use puppet to add / amend or delete windows firewall rules, is
 there a tidy way of doing this 

 exec { Check_MK_Firewall_Rule_create:
 command = 'C:\Windows\System32\netsh.exe advfirewall firewall add rule
 name=Check_MK dir=in action=allow protocol=TCP localport=6556',
 unless = 'C:\Windows\System32\netsh.exe advfirewall firewall show rule
 name=Check_MK',
 }

 ## If I remove the unless statement, it will keep add the same rule over
 and over again, which will make the firewall rule list un-manageable


 exec { Check_MK_Firewall_Rule_enable:
 command = 'C:\Windows\System32\netsh.exe advfirewall firewall set rule
 name=Check_MK new enable=Yes',
 }

 ## When I do a puppet run it keeps running this, is there a way to only
 run if disabled ???

 Hope this make sense

 regards

 James


I belive you want to your second exec to subscribe to the first (so the
first exec only runs if the rule doesn't exist and the second only runs if
the first does).

To tidy that up you could put them in a defined type so you can write
something like:
win_firewall { Check_MK:
  direction = in,
  action = allow,
  protocol  = TCP,
  port = 6556,
}

Of course there's a whole host of things you can do to continue tiding up.
Like creating a native type  provider for windows firewall, extending a
current type with a windows provider, or wrapping linux firewall types 
windows firewall types in a more generic 'firewall' type, that just depends
on how far you want to take it.

 - Justin


  --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to puppet-users+unsubscr...@googlegroups.com.
 To post to this group, send email to puppet-users@googlegroups.com.
 Visit this group at http://groups.google.com/group/puppet-users?hl=en.
 For more options, visit https://groups.google.com/groups/opt_out.




-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Re: New Type/Provider... How to handle cli input???

2013-02-07 Thread Justin Stoller 
There's a completely undocumented (outside of the Pickaxe book) Ruby STDLIB
module called 'expect' that you could use in 1.8.7, open up irb and give it
a whirl. You can find other expect like gems (or at least crib how they're
using the pty)[1]. I think you'll want something like expect4r[2] extended
for NetApp.


HTH,
Justin

1. https://rubygems.org/search?utf8=%E2%9C%93query=expect
2. https://github.com/jesnault/expect4r


On Thu, Feb 7, 2013 at 7:18 AM, fatmcgav fatmc...@gmail.com wrote:

 John

 Cheers for the response...

 Unfortunately SnapDrive is not my program - It's a NetApp program, so I'm
 not going to be able to change it :(
 Also doesn't look like it's designed to support command line args... :( :(

 But in principle, it looks like it's possible, but a bit hacky...

 Cheers
 Gavin


 On 7 February 2013 14:42, jcbollinger john.bollin...@stjude.org wrote:



 On Thursday, February 7, 2013 5:12:41 AM UTC-6, Gavin Williams wrote:

 Morning all

 I'm looking at writing a set of types/providers to handle NetApp
 SnapDrive configuration and usage...

 There's quite a lot to SnapDrive, so initially, I'm just trying to get
 it to manage credentials.

 The challenge I can immediately see is that for me to set a credential,
 the command prompts for a password input twice... Example command run is:
 # snapdrive config set sd-act-star-db05 act-star-nactl01
 Password for sd-act-star-db05:
 Retype password:
 -957 Warning: Optionally, Please set -mgmtpath interface for
 act-star-nactl01 to be used as data interface i.e
 snapdrive config set -mgmtpath mgmtpath act-star-nactl01

 Is it possible to cater for this in a provider?



 In principle, you can redirect appropriate canned responses into the
 command's standard input. I don't recall offhand whether Puppet's built-in
 executor facilities support that directly, but you can always wrap up
 something like that in a 'bash -c' command.

 It would be far better, however, if the configuration program were built
 to be scriptable (i.e. to not require interactive I/O).  For one thing,
 does your installer prompt for a password even when it is run by root
 (which is what the agent will do in the usual configuration)?  Does it
 support command-line options by which you can bypass any other QA?


 John

  --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to puppet-users+unsubscr...@googlegroups.com.
 To post to this group, send email to puppet-users@googlegroups.com.
 Visit this group at http://groups.google.com/group/puppet-users?hl=en.
 For more options, visit https://groups.google.com/groups/opt_out.




  --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to puppet-users+unsubscr...@googlegroups.com.
 To post to this group, send email to puppet-users@googlegroups.com.
 Visit this group at http://groups.google.com/group/puppet-users?hl=en.
 For more options, visit https://groups.google.com/groups/opt_out.




-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] I can't get a custom fact to work in Windows

2013-02-07 Thread Justin Stoller 
On Thu, Feb 7, 2013 at 2:04 PM, Dan McManus mothbitt...@gmail.com wrote:

 Hello all!

 I am using open source puppet 3.0.1 on both the client and master. The
 issue I am having is that I cannot get a simple custom fact to be
 recognized in my manifest. Hopefully I am missing something.

 I am trying to have a custom fact that will tell me whether the nsclient++
 directory exists or not.
 Here's the custom fact, which is located at
 /etc/puppet/environments/windows/modules/nscp-test/lib/facter

 Facter.add(:nsclient) do
 setcode do
 if File.exists?(c:/program files/nsclient++)
   puts ''nsclient installed'
 else
   puts 'no such directory'


`puts` sends the string to stdout, you want to return the string. Ruby will
implicitly return the last statement in a block. Which is how the examples
in http://docs.puppetlabs.com/guides/custom_facts.html  works.

HTH,
Justin

end
 end
 end


 my init.pp is dead simple:

 class nscp-test {
 notify{$nsclient :}
 }


 Here's what happens when I run puppet agent --test on the client (windows
 2003):

 C:\Documents and Settings\All Users\Application
 Data\PuppetLabs\puppet\var\lib\facterpuppet agent --test
 Info: Retrieving plugin
 Info: Loading facts in C:/Documents and Settings/All Users/Application
 Data/PuppetLabs/puppet/var/lib/facter/nsclient.rb
 no such directory
 no such directory
 Info: Caching catalog for snipped
 Info: Applying configuration version '1360274145'
 Notice: undef
 Notice: /Stage[main]/Nscp-test/Notify[undef]/message: defined 'message' as
 'undef'
 Notice: Finished catalog run in 0.42 seconds


 from the command line,  facter --puppet nsclient works just fine.

 So am I missing something dead simple, or what? This is my first time
 doing custom facts.

 Thanks,

 Dan

  --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To unsubscribe from this group and stop receiving emails from it, send an
 email to puppet-users+unsubscr...@googlegroups.com.
 To post to this group, send email to puppet-users@googlegroups.com.
 Visit this group at http://groups.google.com/group/puppet-users?hl=en.
 For more options, visit https://groups.google.com/groups/opt_out.




-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Puppet console not accessible after installation.

2012-12-18 Thread Justin Stoller 
On Tue, Dec 18, 2012 at 9:03 PM, lalit jangra lalit.j.jan...@gmail.comwrote:

 Hi,

 I have an amazon ec2 instance where i have installed puppet from
 http://info.puppetlabs.com/download-pe.html. Installation is successful
 without any issue as per
 http://docs.puppetlabs.com/pe/2.7/install_basic.html. After successful
 installation, i can see following information on putty console.


 STEP 5: DONE

 Thanks for installing Puppet Enterprise!
Puppet Enterprise has been installed to /opt/puppet, and its
 configuration files are located in /etc/puppetlabs.
 ## Answers from this session saved to
 './answers.lastrun.ip-10-224-122-211.ec2.internal'
 ## In addition, auto-generated database users and passwords, including
 the ROOT MySQL password, have been saved to
 /etc/puppetlabs/installer/database_info.install
!!! WARNING: Do not discard these files! All auto-generated database
 users and passwords, including the ROOT Mysql password, have been saved in
 them.

 =

 The console can be reached at the following URI:
  *  https://ip-10-224-122-211.ec2.internal:443

   If you have a firewall running, please ensure the following TCP ports
 are open: 8140, 61613, 443
NOTICE: This system has 3.67 GB of memory, which is below the 4 GB we
 recommend for the puppet master role. Although this node will be a fully
 functional puppet master, you may experience
poor performance with large numbers of nodes. You can improve the
 puppet master's performance by increasing its memory.


 =


 When am trying to access https://ip-10-224-122-211.ec2.internal:443 i am
 not able to access it  getting errors like

 Unable to connect. Firefox can't establish a connection to the server at
 ip-10-224-122-211.ec2.internal.

 I have provided full qualified hostname as defined by my ec2 instance. Can
 anybody help me why it is not able to start?


The name of the host is only an internal one to Amazon. Your external
hostname is not known (and so the installer told you the known one). You
should be able to substitute the hostname/ip that you used to SSH into the
box for ip-10-224-122-211.ec2.internal and see your console. And of
course make sure you have the ports open in your security group.

HTH,
Justin

PS. there's a pe-users mailing list for PE specific questions that you may
want to post on in the future.


 Regards,
 Lalit.

 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To view this discussion on the web visit
 https://groups.google.com/d/msg/puppet-users/-/N5uI55XA6HIJ.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at
 http://groups.google.com/group/puppet-users?hl=en.


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Puppet liveManagement very slow

2012-10-13 Thread Justin Stoller 
Try su-ing to the peadmin account and issuing `mco ping`. What kind of
time are you seeing there? Live Management is a GUI front end to using
mcollective and the peadmin account has all of the mco subcommands
added to its path. If there's a reason mcollective is running slowly
it will bog down Live Management.

Also, there's a pe-users list that might be more beneficial to you.


HTH,
Justin

On Fri, Oct 12, 2012 at 4:05 PM, skrishna12 shivays...@gmail.com wrote:
 Hi ,
 I  have installed puppet enterprise  , master and agent  in two nodes in a
 cluster.

 Everything works perfeclty except live mangement console . clicking this
 option take lot of time and finally it doesnot come up. It came 1 or 2
 times.
 Can you explain what could be reason?

 Thanks
 Leo

 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To view this discussion on the web visit
 https://groups.google.com/d/msg/puppet-users/-/ucSgRa8vvjgJ.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at
 http://groups.google.com/group/puppet-users?hl=en.

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Puppet 3.0 + Inventory search

2012-10-04 Thread Justin Stoller 
Are you using +ExportCertData in your configuration?

Have a look at: http://projects.puppetlabs.com/issues/16769

and let us know if you think this is what is affecting you.

 HTH,
Justin

On Thu, Oct 4, 2012 at 9:47 AM, Jeff McCune j...@puppetlabs.com wrote:
 On Thu, Oct 4, 2012 at 2:00 AM, Nathan Flynn e...@eper.net wrote:
 Hello,

 I am having problems with Puppet since upgrading to 3.0.0.

 I'm sorry to hear you're running into issues with 3.0.0.

 When I call an inventory search I get a Error 400. I have used dashboard +
 Perl

 I'd like to try and reproduce this error here.  What operating system
 are you running the puppetmaster on?

 Oct  4 08:58:43 puppet01 puppet-master[7008]: Handling request: GET
 /production/facts_search/search?facts.lsbdistcodename.eq=lenny
 Oct  4 08:58:43 puppet01 puppet-master[7008]: header too long


 ii  facter  1.6.12-1puppetlabs2  Ruby
 module for collecting simple facts about a host operating system
 ii  hiera   1.0.0-1puppetlabs2   A
 simple pluggable Hierarchical Database.
 ii  puppet  3.0.0-1puppetlabs1
 Centralized configuration management - agent startup and compatibility
 scripts
 ii  puppet-common   3.0.0-1puppetlabs1
 Centralized configuration management
 ii  puppet-dashboard1.2.11-1puppetlabs1
 Dashboard for Puppet
 ii  puppetdb1.0.0-1puppetlabs1
 PuppetDB Centralized Storage.
 ii  puppetdb-terminus   1.0.0-1puppetlabs1   Connect
 Puppet to PuppetDB by setting up a terminus for PuppetDB.
 ii  puppetmaster3.0.0-1puppetlabs1
 Centralized configuration management - master startup and compatibility
 scripts
 ii  puppetmaster-common 3.0.0-1puppetlabs1   Puppet
 master common scripts
 ii  puppetmaster-passenger  3.0.0-1puppetlabs1
 Centralised configuration management - master setup to run under mod
 passenger
 ii  vim-puppet  3.0.0-1puppetlabs1   syntax
 highlighting for puppet manifests in vim

 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To view this discussion on the web visit
 https://groups.google.com/d/msg/puppet-users/-/QNQWubob8lYJ.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at
 http://groups.google.com/group/puppet-users?hl=en.

 --
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to 
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at 
 http://groups.google.com/group/puppet-users?hl=en.


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Puppet 3.0 fails install on Solaris 10 w/ ruby 1.8.7

2012-10-01 Thread Justin Stoller 
On Mon, Oct 1, 2012 at 4:28 PM, Matthaus Owens matth...@puppetlabs.com wrote:
 The puppet 3 gem requires hiera, whose latest version requires json,
 which can be either json (a c extension), or json_pure (a ruby
 implementation). If it is the c extension, make and gcc are required
 to build the c components. The mkmf error usually indicates that make
 and/or gcc are unavailable.

The development headers for ruby are also required, I believe
ruby18-dev will pull in the gnu compiler utils as well if you install
it:
http://www.opencsw.org/packages/CSWruby18-dev/
http://www.opencsw.org/packages/CSWruby18-gcc4/

This is the same way most linux distros package ruby, so issues you
see around compiling native extensions for linux should be equally
helpful for you.

Or you can install the pre-compiled json gem:
http://www.opencsw.org/packages/CSWrb18-json-1-5-3/


 - Justin



 On Mon, Oct 1, 2012 at 4:18 PM, Forrie for...@gmail.com wrote:
 There's a problem installing puppet on Solaris 10 -- in this situation, we
 aren't really doing anything with puppet there.

 The version we're using is:

 ruby 1.8.7 (2011-02-18 patchlevel 334) [i386-solaris2.9]

 Here's the first error:

 # gem update puppet

 Updating installed gems

 Updating puppet

 Building native extensions.  This could take a while...

 ERROR:  Error installing puppet:

 ERROR: Failed to build gem native extension.


 /opt/csw/bin/ruby18 extconf.rb

 extconf.rb:1:in `require': no such file to load -- mkmf (LoadError)

 from extconf.rb:1



 Gem files will remain installed in
 /opt/csw/lib/ruby/gems/1.8/gems/json-1.7.5 for inspection.

 Results logged to
 /opt/csw/lib/ruby/gems/1.8/gems/json-1.7.5/ext/json/ext/generator/gem_make.out

 Nothing to update



 So I decided to uninstall the old version and try again:


 # gem uninstall puppet

 Remove executables:

 filebucket, pi, puppet, puppetdoc, ralsh, puppetca, puppetd,
 puppetmasterd, puppetqd, puppetrun


 in addition to the gem? [Yn]  y

 Removing filebucket

 Removing pi

 Removing puppet

 Removing puppetdoc

 Removing ralsh

 Removing puppetca

 Removing puppetd

 Removing puppetmasterd

 Removing puppetqd

 Removing puppetrun

 Successfully uninstalled puppet-2.7.18


 Now a fresh install:


 # gem install puppet

 Building native extensions.  This could take a while...

 ERROR:  Error installing puppet:

 ERROR: Failed to build gem native extension.


 /opt/csw/bin/ruby18 extconf.rb

 extconf.rb:1:in `require': no such file to load -- mkmf (LoadError)

 from extconf.rb:1



 Gem files will remain installed in
 /opt/csw/lib/ruby/gems/1.8/gems/json-1.7.5 for inspection.

 Results logged to
 /opt/csw/lib/ruby/gems/1.8/gems/json-1.7.5/ext/json/ext/generator/gem_make.out


  The content of this last file is the same as the above error message:

 extconf.rb:1:in `require': no such file to load -- mkmf (LoadError)

 from extconf.rb:1


 Anyone know what the issue is?


 Thanks.

 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To view this discussion on the web visit
 https://groups.google.com/d/msg/puppet-users/-/6bxXifJJK1AJ.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at
 http://groups.google.com/group/puppet-users?hl=en.



 --
 Matthaus Owens
 Release Manager, Puppet Labs

 --
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to 
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at 
 http://groups.google.com/group/puppet-users?hl=en.


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] How to make a module reject invalid parameter

2012-09-25 Thread Justin Stoller 
On Tue, Sep 25, 2012 at 8:57 AM, Philip Brown p...@bolthole.com wrote:
 I tried a few google searches on this, and attempted to look through
 docs.puppetlabs.com, but couldnt find anything...

 how do you make a module throw an error for an unrecognized parameter?

 ie:

 class setitup($machtype) {
   case $machtype {
   prod:  { blah}
   dev:  {blah}
  default: { error Unrecognized machtype parameter value }
   }
 }


I think you'll have better luck in the standard library:
https://github.com/puppetlabs/puppetlabs-stdlib

Specifically the validate_*, type, member, and is_* functions are all
for helping validate parameters. Documentation is the in the Readme
and pretty good.


HTH,
Justin



 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To view this discussion on the web visit
 https://groups.google.com/d/msg/puppet-users/-/_8zyA3QImNcJ.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at
 http://groups.google.com/group/puppet-users?hl=en.

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] writing providers

2012-09-25 Thread Justin Stoller 
I know that yours was more a question for the community but have you
checked out:
http://docs.puppetlabs.com/puppet/#hacking-and-extending

If those aren't super helpful we'd love to make them better.


HTH,
Justin


On Tue, Sep 25, 2012 at 10:47 AM, Jakov Sosic jso...@srce.hr wrote:
 On 09/25/2012 05:09 PM, Darin Perusich wrote:
 Hello All,

 Does anyone have any good documentation, with examples, on writing
 providers? I have both the puppet books and I've been reviewing the
 various providers that are distributed w/puppet and modules but I'm
 not seeing things like how to properly execute commands, best  way to
 parse output, or how to debug them during development.

 Thanks!

 I can send you my providers for Cobbler that I am writing.


 They are kinda simple so you can get around? Drop me a private mail if
 you want.

 --
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to 
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at 
 http://groups.google.com/group/puppet-users?hl=en.


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] puppetlabs jenkins setup

2012-08-25 Thread Justin Stoller 
On Sat, Aug 25, 2012 at 6:14 AM, Choon Ming Goh choonming2...@gmail.com wrote:
 Hi,

 I'm in the middle of setting up jenkins for testing and building our puppet
 modules. I'm quite new at this and been trying to make it work the way i
 wanted but in reality it doesnt. There are a few issues/questions that I
 hope someone in puppetlabs/jenkins can help me with:

 1. module dependency - how do I build and test modules is dependent on
 another module that is being built at the same time using rspec in jenkins.
 The good example is rtyler's jenkins module

You'll need (at this point) fixtures for those other modules. Have you
tried reading Branan's blog post about getting started module testing?
http://puppetlabs.com/blog/the-next-generation-of-puppet-module-testing/
  if I remember right there's either an example of fixtures there or a
link to a module that at least uses them (seeing code always helps).

 2. how can I have jenkins to create a tarball of the module and made it
 available for download whenever I click on the builds?

Go to the 'workspace' of the build. ( at
www.myjenkinsserver.com/job/My Job Name/ws ) This will let you click
through the artifacts of the build (and gives you the option to
download as a zip). You can add a build step after your main tests to
create a tarball. You can also look into a publisher plugin to do that
for you ( 
https://wiki.jenkins-ci.org/display/JENKINS/Plugins#Plugins-Artifactuploaders
).


HTH,
Justin



 This is what I can think of for now and if anyone have an idea please do
 help.

 Thanks

 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To view this discussion on the web visit
 https://groups.google.com/d/msg/puppet-users/-/n1qm-r0y5UAJ.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at
 http://groups.google.com/group/puppet-users?hl=en.

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Announce: Puppet 3.0.0-rc4 Available

2012-08-25 Thread Justin Stoller 
On Sat, Aug 25, 2012 at 3:45 AM, Sandra Schlichting
littlesandr...@gmail.com wrote:
 Does there exist a tracker bug of blocking bugs for final release?

Redmine supports filtering tickets by their target version. You can
filter based on which are still open and targeted at 3.0.0. This link
might work for you (or might require you to log in first):

https://projects.puppetlabs.com/projects/puppet/issues?set_filter=1f[]=status_idop[status_id]=of[]=fixed_version_idop[fixed_version_id]=%3Dv[fixed_version_id][]=271f[]=c[]=projectc[]=trackerc[]=statusc[]=priorityc[]=subjectc[]=assigned_toc[]=fixed_versiongroup_by=




 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To view this discussion on the web visit
 https://groups.google.com/d/msg/puppet-users/-/d0xADxbjGzUJ.

 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at
 http://groups.google.com/group/puppet-users?hl=en.

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Hiera to hash

2012-08-22 Thread Justin Stoller 
On Wed, Aug 22, 2012 at 1:34 PM, Douglas Garstang
doug.garst...@gmail.com wrote:
 On Wed, Aug 22, 2012 at 11:08 AM, Douglas Garstang
 doug.garst...@gmail.com wrote:
 On Tue, Aug 21, 2012 at 11:51 PM, Douglas Garstang
 doug.garst...@gmail.com wrote:
 On Tue, Aug 21, 2012 at 11:44 PM, Douglas Garstang
 doug.garst...@gmail.com wrote:
 On Tue, Aug 21, 2012 at 11:19 PM, Stephen Gran
 stephen.g...@guardian.co.uk wrote:
 Hi,

 On Tue, 2012-08-21 at 21:00 -0700, Douglas Garstang wrote:
 I know I did this once before but can't find docs on how to do it again.

 I have this in a yaml file:

 pvdisks:
 ec2_pvdisks_m1.small:
 disks: /dev/xvdb1
 enabled: yes

 Loading it with hiera.

 Manifest has:

 $testkey = hiera('pvdisks')
 notice (TESTKEY=$testkey[ec2_pvdisks_m1.small])

 This is printing
 TESTKEY=ec2_pvdisks_m1.smalldisks/dev/xvdb1enabledtrue['ec2_pvdisks_m1.small']

 Try inspecting it some other way than printf debugging - notice always
 flattens variables by calling .to_s on them, so it is not a very useful
 tool.  I am assuming that things are indeed fine, but this is confusing
 matters.

 I've since learned that I have to use hiera_array and hiera_hash,
 which aren't documented anywhere.

 Now I've got:

 ec2_config:
   instance:
   m1.small:
 pvdisks:
 - /dev/xvdb1
 swapvol_size: 2G
 logvol_size: 64G
   m1.medium:
 pvdisks:
 - /dev/xvdb1
 swapvol_size: 2G
 logvol_size: 64G
   m1.large:
 pvdisks:
 - /dev/xvdb1
 - /dev/xvdc1
 swapvol_size: 4G
 logvol_size: 64G

 and I've tried to access the data every witch way.

 This gives me a syntax error...
 $pvdisks = 
 hiera_array(ec2_config['instance'][$::ec2_instance_type]['pvdisks'])

 and this:
 $pvdisks = 
 hiera_array($ec2_config['instance'][$::ec2_instance_type]['pvdisks'])

 gives me:
 err: Could not retrieve catalog from remote server: Error 400 on
 SERVER: ec2_config is not an hash or array when accessing it with
 instance at /truth/sauce/env/prod/modules/role/manifests/base_server.pp:27
 on node gfs01.us1.xxx.com

 Ugh.

 Doug.

 Actually, apparently, no, that's not what these functions are for. :(

 Doug.

 :(

 Apparently this is difficult and/or not supported...

Is this what you're trying to do?

$ec2_config = hiera('ec2_config')
$pvdisks = $ec2_config['instance'][$::ec2_instance_type]['pvdisks']


http://docs.puppetlabs.com/puppet/2.7/reference/lang_datatypes.html#hashes

HTH,
Justin


 --
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to 
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at 
 http://groups.google.com/group/puppet-users?hl=en.


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] don't push out facter-1.6.11 without testing ; causes puppetd hang

2012-08-20 Thread Justin Stoller 
Hey Jo,

Do you have any debugging information about this issue? Stack traces,
systems, versions, ruby, custom facts, etc would all be helpful. It
certainly seems from what you said that the version of Facter had
something to do with this error, but I'm not exactly sure how Facter
would affect Puppet's lock file

 - Justin

On Mon, Aug 20, 2012 at 1:02 PM, Jo Rhett jrh...@netconsonance.com wrote:
 Nope, they think they are running. We had to reset the policy to downgrade
 facter, then login to each host and service puppet stop ; puppet agent
 --test --ignoreschedules (our systems are set to only upgrade packages in
 certain hours) to get the hosts back online.

 This looks similar to the old problem with a kernel that changed proc
 semantics, but it's not the kernel this time. Reverting facter to 1.6.10
 resolves the issue.

 On Aug 17, 2012, at 5:55 PM, Stuart Cracraft wrote:

 Can you kick them somehow?

 On Aug 17, 2012, at 5:50 PM, Jo Rhett jrh...@netconsonance.com wrote:

 At least on CentOS 5 and CentOS 6, after upgrading to facter 1.6.11 our
 hosts stopped checking in. Stale puppetdlock problem.

 --
 Jo Rhett
 Net Consonance : net philanthropy to improve open source and internet
 projects.




 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at
 http://groups.google.com/group/puppet-users?hl=en.



 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at
 http://groups.google.com/group/puppet-users?hl=en.


 --
 Jo Rhett
 Net Consonance : net philanthropy to improve open source and internet
 projects.



 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at
 http://groups.google.com/group/puppet-users?hl=en.

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] puppet-rspec / puppetlabs_spec_helper

2012-08-17 Thread Justin Stoller 
On Fri, Aug 17, 2012 at 8:42 AM, llowder llowde...@gmail.com wrote:

 I am using puppet 2.7.14 on Ubuntu 10.04 LTS. I have the following gems:

 *** LOCAL GEMS ***

 diff-lcs (1.1.3)
 hiera (0.3.0)
 hiera-puppet (0.3.0)
 metaclass (0.0.1)
 mocha (0.12.1)
 puppet-lint (0.1.13)
 puppetlabs_spec_helper (0.2.0)
 rake (0.9.2.2)
 rspec (2.11.0)
 rspec-core (2.11.1)
 rspec-expectations (2.11.2)
 rspec-mocks (2.11.1)
 rspec-puppet (0.1.3)

 When I run rake help I get the following:

 $ sudo rake help --trace
 (in /etc/puppet/environments/test/modules/ruby)
 rake aborted!
 uninitialized constant Rake::DSL
 /usr/lib/ruby/1.8/rake.rb:2503:in `const_missing'
 /var/lib/gems/1.8/gems/rake-0.9.2.2/lib/rake/tasklib.rb:8
 /usr/lib/ruby/1.8/rubygems/custom_require.rb:31:in `gem_original_require'
 /usr/lib/ruby/1.8/rubygems/custom_require.rb:31:in `require'
 /var/lib/gems/1.8/gems/rspec-core-2.11.1/lib/rspec/core/rake_task.rb:4
 /usr/lib/ruby/1.8/rubygems/custom_require.rb:31:in `gem_original_require'
 /usr/lib/ruby/1.8/rubygems/custom_require.rb:31:in `require'
 /var/lib/gems/1.8/gems/puppetlabs_spec_helper-0.2.0/lib/puppetlabs_spec_helper/rake_tasks.rb:2
 /usr/lib/ruby/1.8/rubygems/custom_require.rb:36:in `gem_original_require'
 /usr/lib/ruby/1.8/rubygems/custom_require.rb:36:in `require'
 /etc/puppet/environments/test/modules/ruby/Rakefile:2
 /usr/lib/ruby/1.8/rake.rb:2383:in `load'
 /usr/lib/ruby/1.8/rake.rb:2383:in `raw_load_rakefile'
 /usr/lib/ruby/1.8/rake.rb:2017:in `load_rakefile'
 /usr/lib/ruby/1.8/rake.rb:2068:in `standard_exception_handling'
 /usr/lib/ruby/1.8/rake.rb:2016:in `load_rakefile'
 /usr/lib/ruby/1.8/rake.rb:2000:in `run'
 /usr/lib/ruby/1.8/rake.rb:2068:in `standard_exception_handling'
 /usr/lib/ruby/1.8/rake.rb:1998:in `run'
 /usr/bin/rake:28

 I suspect it is something simple, like missing gem, but can't figure it out.

This is RSpec using an old way of initializing Rake.
see: 
http://stackoverflow.com/questions/6085610/ruby-on-rails-and-rake-problems-uninitialized-constant-rakedsl
for more discussion and possible solutions.

Lemme know if that doesn't work for you.

HTH,
Justin

 Any ideas?


 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To view this discussion on the web visit
 https://groups.google.com/d/msg/puppet-users/-/XUL_3dTbJcgJ.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at
 http://groups.google.com/group/puppet-users?hl=en.

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Error 400 on SERVER: Could not parse for environment production: Syntax error at '{'; expected '}'

2012-08-14 Thread Justin Stoller 
On Tue, Aug 14, 2012 at 7:49 AM, Jen Patrick jenafl...@gmail.com wrote:
 It's barfing on this:

Is this in relation to a previous thread?

  Error 400 on SERVER: Could not parse for environment production: Syntax
 error at '{'; expected '}'

is there a line number?


 Here's the node.pp

Does this work?


 node ccc.unix.ccc.ccc.edu {
   class {
$static = {
 eth0 = {
   macaddress = $macaddress_eth0,
   ipaddress  = 192.168.185.228,
   netmask= 2255.255.255.128,
   gateway= 192.168.185.129,
 }
   }

  web_server:
   net_static   = $static,
#   net_static   = {
# eth0 = {
#   macaddress = $macaddress_eth0,
#   ipaddress  = 192.168.185.228,
#   netmask= 2255.255.255.128,
#   gateway= 192.168.185.129,
# }
#   },

   environment   = production,
   unattended_update = true,
   nfs   = false,
   proxy = false,
   apachessl = false,
   admins= [void, Null];
   }

   apache::vhost {
 $fqdn:
   priority = '20',
   port = '80',
   docroot  = '/var/www',
   }



 # open firewall from vpn
   firewall {
 044 allow SSH from 192.168.10.0/23:
   action = accept,
   proto  = tcp,
   dport  = 22,
   source = '192.168.10.0/23';
   }
 }

 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To view this discussion on the web visit
 https://groups.google.com/d/msg/puppet-users/-/4wBjWB34Di8J.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at
 http://groups.google.com/group/puppet-users?hl=en.

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] syntax change or regression?

2012-08-12 Thread Justin Stoller 
On Sun, Aug 12, 2012 at 1:35 AM, Samuel José Martín faus...@gmail.com wrote:

 Hi,

 I am using puppet to generate ipsec tunnels configuration on OpenBSDs
 gateways.
 Having a bunch of offices, I did something like this:

 $enc = $office ?
 {
 paris =
 {
 london = aes,
 kiev = 3des
 },
 london =
 {
 paris = aes,
 kiev = 3des
 },
 kiev =
 {
 paris = 3des,
 london = 3des
 }
 }

 This may not be the cleaner way, since I have to specify each variable two
 times - the enc for tunnel from paris to london is obviously the same as the
 one from london to paris.
 However, this works, under OpenBSD 4.9 and our production puppetmaster
 (2.6).

 Now, we want to upgrade our firewalls to OpenBSD 5.0.
 Their puppet client version (2.7.1) is forcing us to upgrade our
 puppetmaster too.

 My test puppetmaster is running debian wheezy, with puppet* 2.7.14-1.
 While executing puppetd -vt on the client, it fails compiling catalog, with
 some syntax error at '{'; expected '}'.
 I've just updated my puppetmaster to 2.7.18-1, no changes since my last
 check.
 The faulty { is the second one (in my sample, the one just after paris).

 Is this some regression, in ruby or puppetmaster?
 Or is this kind of syntax deprecated in any way?
 Is there any replacement?

I think you've found this:
https://projects.puppetlabs.com/issues/14301   --   Hashes can not be
used in selectors

I don't know how it sits in the deprecated/regression realm.
I think updating your thoughts in the ticket would help move it
forward in development though.

 What could I do to patch my repository, before upgrading our production
 puppetmaster?

For the time being (if you don't want to refactor your module in
otherways) you can always assign the hash outside of the selector
(my_test.pp)

$office = 'paris'

$paris  = { london = aes,  kiev =   3des }
$london = { paris  = aes,  kiev =   3des }
$kiev   = { paris  = 3des, london = 3des }

$enc = $office ?  {
  paris = $paris,
  london = $london,
  kiev = $kiev
}

notify { $enc['london']: }




 - Justin



 Thanks for your help,

 Regards.

 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To view this discussion on the web visit
 https://groups.google.com/d/msg/puppet-users/-/dJiuo5sjBYwJ.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at
 http://groups.google.com/group/puppet-users?hl=en.

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] initial puppet agent --test --verbose upon quick start installation FAILS v2.53

2012-08-10 Thread Justin Stoller 
On Fri, Aug 10, 2012 at 6:08 AM, Patrick McCarty
patrick.mcca...@gmail.com wrote:
 All,

 I am evaluating Puppet for a client.  It has not been a smooth evaluation. :-)

Sorry to hear that. It's a great tool, but its still got a few edges
that if you fall on can be mighty sharp.


 I have four machines, puppet, console, node1 and node 2- all on the same 
 segement with no firewall nor router between them.  They have sequentially 
 numbered IP's and I can ping each one from all the others via short name 
 [puppet, console, node1 or node2] or their FQDN [puppet.vision.com, 
 console.vision.com, node1.vision.com and node2.vision.com].

 I get the following error on all four devices:

This is an error in the master - console communication and as every
run uses this, every run on every node will fail.


  puppet agent --test --verbose
 info: Retrieving plugin
 info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/root_home.rb
 info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/puppet_vardir.rb
 info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/facter_dot_d.rb
 err: Could not retrieve catalog from remote server: Error 400 on SERVER:

The Puppet Master had a 400 (General Error) becuase:

 Error 403 on SERVER: Forbidden request: puppet.vision.com(10.197.0.6) access 
 to /facts/node1.vision.com

It doesn't have permission to access the inventory service.

 [save] authenticated  at line 56

This is the super unhelpful part of the error message, what file? I'd
start with your auth.conf.

 warning: Not using cache on failed catalog
 err: Could not retrieve catalog; skipping run

 Any help would be appreciated.

I've seen a few folks have this error recently and googling to remind
myself of their solutions I found a few references to auth.conf,
umask, selinux around the inventory service. What platform are you on?
Have you done any custom security hardening? I feel like I've seen
more pe-users mentioning this problem, but that's a completely
un-scientific hunch and I'm not yet sure whether its because of our
tightening of default permissions or just more users operating split
master/console nodes.

Either way there's a pe-users list that I'd recommend you hit for more
PE specific help.


HTH,
Justin


 --
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To view this discussion on the web visit 
 https://groups.google.com/d/msg/puppet-users/-/jAO6JRia0L0J.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to 
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at 
 http://groups.google.com/group/puppet-users?hl=en.


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] inventory service vs stored config (conflicts?)

2012-07-25 Thread Justin Stoller 
they will conflict

you should definitely look into puppetdb as a more scalable solution
than the active_record terminus for both inventory service and
storeconfigs

storedconfigs stores resources from your puppet manifests and
inventory service stores facts.


 - Justin
sorry for the top post


On Wed, Jul 25, 2012 at 9:43 AM, Hai Tao ehai...@gmail.com wrote:
 I have set up inventory service to save my client's fact, as

 [master]
 facts_terminus = inventory_active_record
 dblocation = {sqlite file path (sqlite only)}
 dbadapter = {sqlite3|mysql|postgresql|oracle_enhanced}
 dbname = {database name (all but sqlite)}
 dbuser = {database user (all but sqlite)}
 dbpassword = {database password (all but sqlite)}
 dbserver = {database server (MySQL and PostgreSQL only)}
 dbsocket = {database socket file (MySQL only; optional)}

 the question is if I then config the stored config, will the db conflicts?

 storeconfigs = true
 dbadapter = mysql
 dbuser = puppet
 dbpassword = password
 dbserver = localhost
 dbsocket = /var/run/mysqld/mysqld.sock

 as many are overlaped, such as dbadapter, dbpassword? I also do not
 understand what stored config store other than facts.

 Thankls.

 Hai T.

 --
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to 
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at 
 http://groups.google.com/group/puppet-users?hl=en.


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] inventory service vs stored config (conflicts?)

2012-07-25 Thread Justin Stoller 
On Wed, Jul 25, 2012 at 11:08 AM, Hai Tao ehai...@gmail.com wrote:
  storeconfig also store facts, as I can see from the table list after
 I configured stored config:

 +--+
 | Tables_in_puppet |
 +--+
 | fact_names   |
 | fact_values  |
 | hosts|
 | inventory_facts  |
 | inventory_nodes  |
 | param_names  |
 | param_values |
 | puppet_tags  |
 | resource_tags|
 | resources|
 | source_files |
 +--+

 then the question is why would inventory needed anymore?

the db settings are the same for both inventory and storeconfigs
(that's why they'll conflicdt). when you tell puppet to use either it
will automatically create the database for you. it creates one puppet
database, and puts tables in there for both storeconfigs and inventory
service. the actual code to retrieve, save and query facts (inventory
service) and puppet resources (storedconfigs) are different however
and even if the tables exist they all won't be populated until you
enable both.

does that make sense?


 On Wed, Jul 25, 2012 at 10:46 AM, Justin Stoller jus...@puppetlabs.com 
 wrote:
 they will conflict

 you should definitely look into puppetdb as a more scalable solution
 than the active_record terminus for both inventory service and
 storeconfigs

 storedconfigs stores resources from your puppet manifests and
 inventory service stores facts.


  - Justin
 sorry for the top post


 On Wed, Jul 25, 2012 at 9:43 AM, Hai Tao ehai...@gmail.com wrote:
 I have set up inventory service to save my client's fact, as

 [master]
 facts_terminus = inventory_active_record
 dblocation = {sqlite file path (sqlite only)}
 dbadapter = {sqlite3|mysql|postgresql|oracle_enhanced}
 dbname = {database name (all but sqlite)}
 dbuser = {database user (all but sqlite)}
 dbpassword = {database password (all but sqlite)}
 dbserver = {database server (MySQL and PostgreSQL only)}
 dbsocket = {database socket file (MySQL only; optional)}

 the question is if I then config the stored config, will the db conflicts?

 storeconfigs = true
 dbadapter = mysql
 dbuser = puppet
 dbpassword = password
 dbserver = localhost
 dbsocket = /var/run/mysqld/mysqld.sock

 as many are overlaped, such as dbadapter, dbpassword? I also do not
 understand what stored config store other than facts.

 Thankls.

 Hai T.

 --
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to 
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at 
 http://groups.google.com/group/puppet-users?hl=en.


 --
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to 
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at 
 http://groups.google.com/group/puppet-users?hl=en.




 --
 Hai Tao

 --
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to 
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at 
 http://groups.google.com/group/puppet-users?hl=en.


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] PE Install Problem Finding /erb/console_auth_db_config.yml.erb

2012-06-16 Thread Justin Stoller 
On Fri, Jun 15, 2012 at 3:07 PM, hulk15 btholc...@gmail.com wrote:
 Hey guys,
     Trying to install PE for a PoC and have run into the following:  Has
 anyone seen this?

 Starting puppet:   [  OK  ]
 ** chkconfig pe-puppet on
 ** cp -a /etc/puppetlabs/puppet-dashboard/database.yml
 /etc/puppetlabs/puppet-dashboard/database.yml.20120615T215945.bak
 ** cp -a /etc/puppetlabs/puppet-dashboard/settings.yml
 /etc/puppetlabs/puppet-dashboard/settings.yml.20120615T215945.bak
 ** /opt/puppet/bin/erb -T - './erb/console_auth_db_config.yml.erb' 
 '/etc/puppetlabs/console-auth/database.yml'
 /opt/puppet/bin/erb:115:in `read': No such file or directory -
 ./erb/console_auth_db_config.yml.erb (Errno::ENOENT)
     from /opt/puppet/bin/erb:115:in `run'
     from /opt/puppet/bin/erb:140
 Thanks!

In the extracted tarball directory, the root install dir where
'puppet-enterprise-installer' lives there should be a directory 'erb'
which contains the file 'console_auth_db_config.yml.erb'. Does this
exist? Have you done anything that could have removed either the file
or the directory?

The actual command is trying to load it from './erb/...' did you run
the installer from the directory where it resides (ie
'./puppet-enterprise-installer') or from another location
'/tmp/extracted_dir/puppet-enterprise-installer'?

The file should be there unless the tarball/extracted directory was
tampered with and the installer should be able to find it as long as
it was ran from the directory where it sits. If the file doesn't exist
I'd try either re-extracting the tarball or re-downloading. If none of
that works, lemme know on the pe-users list (which is where questions
like this should go) which platform, major version, PE version,
tarball you've been getting and we can go from there.


 - Justin

 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To view this discussion on the web visit
 https://groups.google.com/d/msg/puppet-users/-/yrKyyr-_yesJ.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at
 http://groups.google.com/group/puppet-users?hl=en.

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: HP-UX Puppet Agent

2012-04-05 Thread Justin Stoller 
On Thu, Apr 5, 2012 at 8:22 AM, Nan Liu n...@puppetlabs.com wrote:

 On Thu, Apr 5, 2012 at 2:57 PM, Michael Glatz mfgl...@gmail.com wrote:
  Removing the default group worked for the most part but I am still
  running into some issues
 
  It cataloged correctly and even ran the test class I created
 
  notice: Starting Puppet client version 2.7.12
  debug: Finishing transaction 545631632
  debug: Loaded state in 0.00 seconds
  processor - invalid major number
  usage: lsdev [-h] [-d driver | -C class] [-b block_major] [-c
  char_major]
  [-e major] [major] ...
  uname: illegal option -- p
  usage: uname [-amnrsvil] [-S nodename]
  debug: catalog supports formats: b64_zlib_yaml dot marshal pson raw
  yaml; using pson
  debug: Using cached certificate for ca
  debug: Using cached certificate for agent
  debug: Using cached certificate_revocation_list for ca
  info: Caching catalog for agent
  debug: Creating default schedules
  debug: Loaded state in 0.00 seconds
  info: Applying configuration version '1333637360'
  debug: /Schedule[daily]: Skipping device resources because running on
  a host
  debug: /Schedule[monthly]: Skipping device resources because running
  on a host
  debug: /Schedule[hourly]: Skipping device resources because running on
  a host
  notice: /Stage[main]/Core_permissions/File[/etc/fstab]/group: group
  changed 'sys' to 'root'
  debug: /Stage[main]/Core_permissions/File[/etc/fstab]: The container
  Class[Core_permissions] will propagate my refresh event
  notice: /Stage[main]/Core_permissions/File[/etc/crontab]/ensure:
  created
  debug: /Stage[main]/Core_permissions/File[/etc/crontab]: The container
  Class[Core_permissions] will propagate my refresh event
  notice: /Stage[main]/Core_permissions/File[/etc/passwd]/group: group
  changed 'sys' to 'root'
  notice: /Stage[main]/Core_permissions/File[/etc/passwd]/mode: mode
  changed '0444' to '0644'
  debug: /Stage[main]/Core_permissions/File[/etc/passwd]: The container
  Class[Core_permissions] will propagate my refresh event
  debug: /Stage[main]/Core_permissions/File[/etc/passwd]: The container
  Class[Core_permissions] will propagate my refresh event
  debug: Class[Core_permissions]: The container Stage[main] will
  propagate my refresh event
  debug: /Schedule[never]: Skipping device resources because running on
  a host
  debug: /Schedule[weekly]: Skipping device resources because running on
  a host
  debug: /Schedule[puppet]: Skipping device resources because running on
  a host
  debug: Finishing transaction 549485440
  debug: Storing state
  debug: Stored state in 0.04 seconds
  notice: Finished catalog run in 0.11 seconds
  debug: Value of 'preferred_serialization_format' (pson) is invalid for
  report, using default (yaml)
  debug: report supports formats: b64_zlib_yaml marshal raw yaml; using
  yaml
 
  I am now receiving this issue again
 
  mporting report report-14137-1.yaml at 2012-04-05 10:49 EDT
  undefined method `each' for nil:NilClass
  Backtrace
  /opt/puppet/share/puppet-dashboard/lib/puppet/report.rb:202:in
  `extended'
  /opt/puppet/share/puppet-dashboard/lib/puppet/report.rb:200:in `each'
  /opt/puppet/share/puppet-dashboard/lib/puppet/report.rb:200:in
  `extended'
  /opt/puppet/share/puppet-dashboard/lib/puppet/report.rb:114:in
  `extend'
  /opt/puppet/share/puppet-dashboard/lib/puppet/report.rb:114:in
  `extended'
  /opt/puppet/share/puppet-dashboard/app/models/report.rb:107:in
  `extend'
  /opt/puppet/share/puppet-dashboard/app/models/report.rb:107:in
  `create_from_yaml'
  /opt/puppet/share/puppet-dashboard/app/models/report.rb:86:in
  `create_from_yaml_file'

 If you are using ruby 1.9.1, it is known to be problematic:
 http://docs.puppetlabs.com/guides/faq.html

  Also it automatically added the node back to default, anyway to
  prevent that?

 Looks like there's a background task automatically adding nodes. I
 don't know a good way around this issue. You can move the pe-* class
 to another group but you will need to manually add nodes to that group
 afterwards.

 There's a cron job that calls a rake task that will automatically add
nodes that it knows about to the default group. You will most likely need
to
A) move the offending classes out of the default group as Nan suggests, or
B) disable the cron job and manually add new nodes to the appropriate
groups, or
C) write a new cron job/rake task that will only add the nodes you want.

See /etc/cron.d/default-add-all-nodes

on your PE console node.

- Justin


HTH,

 Nan

 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at
 http://groups.google.com/group/puppet-users?hl=en.



-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send

Re: [Puppet Users] Re: PE - installation error

2012-04-01 Thread Justin Stoller 
So, this is an Awesomely un-helpful error message.

First there's two (possibly three) things that happen between the Setting
up puppet agent... message and whatever message comes next (the next
message depends on if you're installing the console or not).

First the installer runs puppet agent -t to request a cert. This is almost
certainly where it's failing. If you did a previous install with a master
on a different node, then you need to make sure the agent's cert has been
cleaned off of the master before trying to re-install. If you don't the
master says, I already have a cert for that node, you're a fake! and the
installer dies. If this was a master node, make sure that when you ran the
uninstaller you ran with a `-p`, the purge option, to remove
/etc/puppetlabs and the configs within there.

Then the installer tries to start the puppet agent daemon and enable it to
run at boot. This is a non-portable section that fails with a decent error
message if it can't figure out what to do.

If this is NOT installing a console as well, then it will generate the
puppet master's passenger conf file. Which also should not cause it to bail.


To resolve the issue you might want to try:
 Re-running the uninstaller with -p (and if you had a database installed
with PE, don't forget to clean out /var/lib/mysql!) and then re-running the
installer with `bash -x`

You can also take a 'snapshot' of pertinent information on your node by
running the support script in the extracted PE tarball and send its output
to supp...@puppetlabs.com .

If you got this far in the installation you might want to change the
version string in /opt/puppet/pe_version to something like '2.0.3' and try
running the upgrader.

Or keep trying here (and at the issue tracker) with more info about your
platform (UbuntuLTS, SLES 11.2,,,), configuration (agent only, split
master/console), etc


HTH,
Justin



On Sun, Apr 1, 2012 at 10:33 AM, hreeder harry...@gmail.com wrote:

 I am also getting this error.
 I had puppet installed, however I uninstalled it using the provided script.
 Now I wish to reinstall it and I get the above error.


 On Friday, March 30, 2012 1:34:34 AM UTC+2, David Summers wrote:

 I'm receiving the exact same error.  Did you ever figure out what was
 causing it?

 On Wednesday, March 21, 2012 6:24:37 AM UTC-5, Surendra Singhi wrote:

 Hi,

 I am trying to install puppet enterprise on a fresh Debian Squeeze
 machine, but I am getting an error midway with no information on what
 went wrong. How do I troubleshoot or look for more debugging
 information?

 This is what the screen output for installation is:

 thanks for your help in advance!

 Setting up pe-rubygem-fog (1.0.0e-1puppet2) ...
 Setting up pe-cloud-provisioner (1.0.1-puppet1) ...
 ## Setting up puppet master...
 /opt/puppet/share/puppet/**modules does not exist, creating.
 Installed puppetlabs-pe_accounts-1.0.2 into directory: pe_accounts
 Installed puppetlabs-pe_mcollective-0.**0.39 into directory:
 pe_mcollective
 Installed puppetlabs-pe_compliance-0.0.**4 into directory:
 pe_compliance
 Installed puppetlabs-stdlib-2.1.2 into directory: stdlib
 ## Checking the agent certificate name detection...
 ## Setting up puppet agent...

 ==**==**
 ==**==**
 ==**

 !! ERROR: Cancelling installation

 ==**==**
 ==**==**
 ==**

  --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To view this discussion on the web visit
 https://groups.google.com/d/msg/puppet-users/-/4howgkVuK4sJ.

 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at
 http://groups.google.com/group/puppet-users?hl=en.


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Puppet Enterprise 2.5 and cucumber-puppet

2012-03-30 Thread Justin Stoller 
I've used PE with cucumber-puppet before

I put cucumber/cucumber-puppet in the same ruby as PE (which I *think* is a
requirement for cucumber-puppet),
which required manually setting up the dependencies for, and installing
pe-ruby-devel then using /opt/puppet/bin/gem.

Installing the ruby development headers (required for building cucumber) in
PE has been deprecated and the pe-ruby-devel package is really only there
for upgrades for those that installed 1.2. I'm unsure of the status of
pe-ruby-devel going forward.


 - Justin



On Fri, Mar 30, 2012 at 10:06 AM, Nikolay Sturm goo...@erisiandiscord.dewrote:

 On Mar 29, 11:17 am, Brian Carpio bcar...@thetek.net wrote:
  Is cucumber-puppet compatible with Puppet Enterprise 2.5? If not is
  there a test framework which is similar that is?

 I haven't used puppet enterprise, but I would be surprised if it
 showed massive incompatibilities with the open-source version.
 Anyways, if cucumber-puppet does not work with puppet enterprise,
 please file a bug report and I'll take care of it.

 HTH,

 Nikolay

 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at
 http://groups.google.com/group/puppet-users?hl=en.



-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Cannot see node on Live Management

2012-02-20 Thread Justin Stoller 
Have you tried su-ing to the peadmin user on the master node and trying
`mco ping`?

Live Management is basically a front end for actions the peadmin user can
do. Dropping down to that level may let you debug the issue easier.

Other things to check are that activemq is working and correctly configured
on the master, as well as mcollective on all of your agent nodes.

You may also find more users that understand your question on the pe-users
list (I assume if you're using Live Management you're using PE)

 - Justin



On Mon, Feb 20, 2012 at 11:35 AM, Littman, Mark B mlitt...@indiana.eduwrote:

 Yes it is in the default group. I am wondering if it is a permissions
 issue for the puppet user account? Does that need anything special for live
 management ?

 Reminder: it shows on all other tabs on the puppet console...just not live
 management.


 -Original Message-
 From: puppet-users@googlegroups.com [mailto:puppet-users@googlegroups.com]
 On Behalf Of Michael Stahnke
 Sent: Monday, February 20, 2012 2:31 PM
 To: puppet-users@googlegroups.com
 Subject: Re: [Puppet Users] Cannot see node on Live Management

 On Mon, Feb 20, 2012 at 4:29 AM, Mark B mlitt...@indiana.edu wrote:
  The node and reports show up on the dashboard but not on the live
  management tab.
 
  Does anyone have any suggestions? is this a permissions issue?
 
 Is the node in the default group in the dashboard?  Puppet runs setup the
 mcollective/live management bits.  The class is called pe_mcollective.


  --
  You received this message because you are subscribed to the Google
 Groups Puppet Users group.
  To post to this group, send email to puppet-users@googlegroups.com.
  To unsubscribe from this group, send email to
 puppet-users+unsubscr...@googlegroups.com.
  For more options, visit this group at
 http://groups.google.com/group/puppet-users?hl=en.
 

 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at
 http://groups.google.com/group/puppet-users?hl=en.

 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at
 http://groups.google.com/group/puppet-users?hl=en.



-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] finally have puppet/passenger/dashboard working... new problem

2012-01-27 Thread Justin Stoller 
I found this bug in Redmine that sounds like it could be your problem.
http://projects.puppetlabs.com/issues/3234

It looks like a long standing issue, but that Nick L is possibly on to a
solution. Could you review the ticket to see if this is what is affecting
you and if so post your newest info in to help the Open Source team
prioritize it?

If this isn't what's affecting you please open a new ticket with your
information.

And of course if the work arounds in the ticket work for you, please let
the list know  ; )

On Fri, Jan 27, 2012 at 9:16 AM, Peter Berghold salty.cowd...@gmail.comwrote:

 What the heck does this mean?

 err: Could not retrieve catalog from remote server: Error 400 on SERVER:
 undefined method `fact_merge' for nil:NilClass
 warning: Not using cache on failed catalog
 err: Could not retrieve catalog; skipping run

 Only seems to be happening on one host in particular...


 --
 Peter L. Berghold
 Owner, Shark River Technical Solutions LLC

 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at
 http://groups.google.com/group/puppet-users?hl=en.


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.