Re: [Puppet Users] Ubuntu /var/lib/puppet/lib failed.

2010-04-26 Thread Patrick 
I hate this bug.  This is actually just cosmetic.  There are two easy ways to 
fix it.
1) Set puginsync to false on every client.  (Using puppet)
2) Setup an plugin folder.

I recommend just using 1 for now, and dealing with it later since it's just a 
cosmetic bug until you try to use plugins.


Also, here's a bit more advice that is "common knowledge" here in the list, but 
isn't well documented.

Basically, 0.24.5 is very old, slow and a little buggy.  Mostly the problem is 
that it scales very badly.  If you plan to jump to Lucid when it comes out, I 
wouldn't worry.  0.24.5 is ok for getting started.  It's later that you'll have 
problems.  Most of those problems will go away once you switch to 0.25.4.

Scaling problems means that your server will probably fail when it gets more 
than 5-20 clients.

If you're not willing to upgrade the server (and clients) then you'll probably 
want to uninstall the puppet package and install from source.  When ever you 
upgrade puppet a major version, the server must always be upgraded first.

Also, the "File" resource doesn't work well with big files (over 50kb-500kb) or 
recursively managed directories with lots of files.  The recommended way to get 
around this is by using packages to deploy files, exec+rsync, exec+wget, or 
exec+nfs+cp. 

On Apr 26, 2010, at 11:21 AM, Douglas Garstang wrote:

> Running puppet on ubuntu for the first time. Getting this.
> 
> Apr 26 11:12:36 ext-web1.fr.xxx.com puppetd[17974]: Starting Puppet
> client version 0.24.5
> Apr 26 11:12:37 ext-web1.fr.xxx.com puppetd[17974]:
> (/File[/var/lib/puppet/lib]) Failed to retrieve current state of
> resource: No specified source was found from puppet://puppet/plugins
> Apr 26 11:12:40 ext-web1.fr.xxx.com puppetd[17974]: Starting catalog run
> Apr 26 11:12:40 ext-web1.fr.xxx.com puppetd[17974]: Finished catalog
> run in 0.02 seconds
> 
> Anyone know what it means?
> 
> Doug.
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To post to this group, send email to puppet-us...@googlegroups.com.
> To unsubscribe from this group, send email to 
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/puppet-users?hl=en.
> 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Problem using exec with vmbuilder

2010-04-26 Thread Patrick 

On Apr 25, 2010, at 11:32 AM, Yann wrote:

> Hello, I am trying to create a VM using puppet and vmbuilder. I've got
> the following declaration (now very simplified):
> 
> define virtual_machine ($ip) {
>exec {"create_vm_${name}":
>command => "/usr/bin/vmbuilder kvm ubuntu -d CNDR -v -m 512 --
> cpus=1 --rootsize=5096",
>   unless => "/usr/bin/test -d /var/lib/kvm/${name}",
>}
> }
> 
> When I run puppetd in debugging mode on the client I get this:
> 
> 
> debug: //Node[10.0.0.165]/Virtual_machine[anewvm]/
> Exec[create_vm_anewvm]: Executing check '/usr/bin/test -d /var/lib/kvm/
> anewvm'
> debug: Executing '/usr/bin/test -d /var/lib/kvm/anewvm'
> debug: //Node[10.0.0.165]/Virtual_machine[anewvm]/
> Exec[create_vm_anewvm]: Changing returns
> debug: //Node[10.0.0.165]/Virtual_machine[anewvm]/
> Exec[create_vm_anewvm]: 1 change(s)
> debug: //Node[10.0.0.165]/Virtual_machine[anewvm]/
> Exec[create_vm_anewvm]: Executing '/usr/bin/vmbuilder kvm ubuntu -d
> CNDR -v -m 512 --cpus=1 --rootsize=5096'
> debug: Executing '/usr/bin/vmbuilder kvm ubuntu -d CNDR -v -m 512 --
> cpus=1 --rootsize=5096'
> notice: //Node[10.0.0.165]/Virtual_machine[anewvm]/
> Exec[create_vm_anewvm]/returns: executed successfully
> debug: Finishing transaction 70279583715580 with 1 changes
> 
> 
> But... the command is never executed. If I run /usr/bin/vmbuilder kvm
> ubuntu -d CNDR -v -m 512 --cpus=1 --rootsize=5096 by hand I get:
> 
> r...@venice:/etc/puppet# /usr/bin/vmbuilder kvm ubuntu -d CNDR -v -m
> 512 --cpus=1 --rootsize=5096
> 2010-04-25 19:30:16,738 INFO: Creating disk image: /tmp/
> vmbuilderConQHr/disk0.img
> 2010-04-25 19:30:16,745 INFO: Adding partition table to disk
> image: /tmp/vmbuilderConQHr/disk0.img
> 2010-04-25 19:30:16,838 INFO: Adding type 1 partition to disk
> image: /tmp/vmbuilderConQHr/disk0.img
> 2010-04-25 19:30:16,896 INFO: Adding type 3 partition to disk
> image: /tmp/vmbuilderConQHr/disk0.img
> 2010-04-25 19:30:16,903 INFO: [0] ../../libparted/filesys.c:147
> (ped_file_system_type_get): File system alias linux-swap(new) is
> deprecated
> 2010-04-25 19:30:16,954 INFO: Creating loop devices corresponding
> to the created partitions
> 2010-04-25 19:30:16,967 INFO: Creating file systems
> 2010-04-25 19:30:16,971 INFO: mke2fs 1.41.9 (22-Aug-2009)
> 2010-04-25 19:30:17,596 INFO: mkswap: /dev/mapper/loop1p2:
> warning: don't erase bootbits sectors
> 2010-04-25 19:30:17,597 INFO: on whole disk. Use -f to
> force.
> 2010-04-25 19:30:17,604 INFO: Mounting target filesystems
> 2010-04-25 19:30:17,612 INFO: Installing guest operating system
> [...]
> 
> And the operation takes a while.
> So I'm really stuck, it says it executes that command and that the
> command is successful, but apparently, it doesnt execute the command,
> or it is not successful (considering that I see no output, that the VM
> is not created, that the command returns in less than a second
> although it should take 3min+)...
> 
> I tried replacing the vmbuilder command by a simple "touch /tmp/
> test" , that one works.
> 
> Any help would be much appreciated, I've been trying everything for
> hours :(
> 

I have couple of wild guesses if you run out of ideas:
1) For some reason the program is silently failing if there isn't an associated 
console.
2) It's trying to use environmental variables that don't exist in the session 
created by puppet.
3) Something is wrong with your 'unless' statement.

The easiest to check is 3.  Just remove the unless statement and try again.  
I'd try this first since it's trivial.

I think you can mostly test 1 by trying to run the command while redirecting 
the input from /dev/null

You can indirectly do a partial job of testing 2 putting that command in a bash 
shell script and then executing the script explicitly using bash with the -l 
flag so bash will reconstruct some of the variables.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Logging Exec

2010-04-24 Thread Patrick 

On Apr 24, 2010, at 3:26 AM, Christian Kauhaus wrote:

> Am 24.04.2010 01:02, schrieb Douglas Garstang:
>> I need to pass sensitive options, ie passwords, on the command line,
>> and don't want them to appear in log files.
> 
> I think doing so is generally a bad idea. Command line arguments are
> world-readable from the process list. Better put the sensitive parameters
> into a config file with reasonable permissions.
> 
> Christian
> 

To expand on this, most command-line programs that take sensitive parameters 
will also take a file with the parameters so you don't have to expose them to 
the world.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: /etc/passwd, shadow, group, hosts

2010-04-23 Thread Patrick 

On Apr 23, 2010, at 7:15 AM, CraftyTech wrote:

> On Apr 23, 7:24 am, Daniel Pittman  wrote:
>> CraftyTech  writes:
>>> I'm new to puppet, and I'd like to know: Is there a formal best practices
>>> guide for syncing { /etc/passwd, shadow, group, hosts} across clients from
>>> the master?
>> 
>> You will probably find the most common "best practice" answer to this is
>> "don't do it that way": the risks probably outweigh the cost, and using a
>> proper system like LDAP, NIS, or puppet user bits is probably less painful.
>> 
>>> For instance; is it a better practice to make a hard link to these files and
>>> share the link, as opposed to just sharing the files directly via a target
>>> in fileserver.conf?
>> 
>> I would, simply because you reduce the list of exposed files that way.
>> 
>> Daniel
>> 
>> By "would" I mean "would deploy LDAP, but if you insist", of course.
>> --
>> ✣ Daniel Pittman✉ dan...@rimspace.net☎ +61 401 155 
>> 707
>>♽ made with 100 percent post-consumer electrons
>> 
> Thanks for the quick reply.  I should have been more specific in my
> question: We do use ldap/DNS in our environment; I wanted to use
> puppet for syncing  the { /etc/passwd, shadow, group, hosts} for the
> purposes of service accounts only, and not users in general.  Also the
> host file would be helpful in case there are hosts names that need to
> be hard coded.  I suppose I can create a class that creates the users
> for the service accounts and propagate it that way...  My thought
> process was that if I have a hand-full of service accounts that need
> to be present in all hosts, and certain hosts that need to be hard-
> coded in the hosts file, that I would just share the previously
> mentioned files via hard link on fileserver.conf.  There appear to be
> some security holes with this approach, so I have to re-think my
> deployment strategy.. All suggestions are welcome :-))

If you only have a few service accounts, it's probably easiest to just manage 
them using the user resource.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: [Puppet-dev] scaling up puppetmasterd by cloning puppetmasterd

2010-04-21 Thread Patrick 

On Apr 21, 2010, at 7:34 PM, Ohad Levy wrote:

> Brian,
> 
> Login to your second puppetmaster and try the following:
> backup your /var/lib/puppet and /etc/puppet dirs
> stop your puppetmaster and puppetd processes
> rm -rf /var/lib/puppet/ssl
> edit your /etc/puppet.conf
> under the [main] section add:
> ca = false
> ca_server = 
> on your first puppet master do puppetca --clean 
> run puppetd on this machine - e.g.
> puppetd -t --server 
> sign the certificate on the first puppetmaster
> start puppetmaster
> Hope this helps,
> Ohad

Cool.  Will this passthrough CA requests?  Here's an example:

Lets call the first puppetmaster CA.

Call the second puppetmaster Backup.

A client with a default puppet.conf that doesn't have a valid cert connects to 
Backup.  Will the client get a valid cert that will work on both masters?
-Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] scaling up puppetmasterd by cloning puppetmasterd

2010-04-21 Thread Patrick 
On Apr 21, 2010, at 3:59 PM, Brian Lam wrote:

> I apologized ahead of time if this post shouldn't go here but I having
> been knocking my heading for the last two days trying to get over the
> following error while trying to "clone" my primary puppetmasterd
> because we have outgrown one puppetmasterd setup.
> 
> I have basically set up a 2nd instance of our primary puppetmasterd
> and rsync'ed over /var/lib/puppet/ssl/ from the primary to the
> secondary puppetmasterd.  The client ran to completion (and recorded
> the log in /var/lib/puppet/report/) but the file copying statement
> were failing:
> (see log below)
> 
> Failed to generate additional resources during transaction:
> Certificates were not trusted: hostname was not match with the server
> certificate
> 
> I am sorta desperate at this point and am thinking of trying to hack
> the libraries
> 
> Any advice would be appreciate.  I am running 0.24.6-1.  Thanks in
> advance.
> 
> 
> 
> 
> EQX r...@xen-pup-dash:/etc/puppet# puppetd -vt
> info: Loading fact kernelrelease
> info: Loading fact disk_facts
> info: Loading fact facts
> info: Loading fact www_pool
> info: Retrieving facts
> notice: /File[/var/lib/puppet/facts]/checksum: checksum changed
> '{mtime}Sat Jan 30 16:44:27 -0800 2010' to '{mtime}Sat Jan 30 16:44:28
> -0800 2010'
> info: Loading fact kernelrelease
> info: Loading fact disk_facts
> info: Loading fact facts
> info: Loading fact www_pool
> info: Caching catalog at /var/lib/puppet/localconfig.yaml
> notice: Starting catalog run
> warning: Certificate validation failed; consider using the certname
> configuration option
> err: //Node[xen-pup-dash]/common/File[/home/scripts]: Failed to
> generate additional resources during transaction: Certificates were
> not trusted: hostname was not match with the server certificate
> warning: Certificate validation failed; consider using the certname
> configuration option
> err: //Node[xen-pup-dash]/common/File[/home/scripts]: Failed to
> retrieve current state of resource: Certificates were not trusted:
> hostname was not match with the server certificate Could not describe /
> files/server-configs/eqx-sv2/common/home/scripts: Certificates were
> not trusted: hostname was not match with the server certificate at /
> etc/puppet/manifests/eqx-sv2/production/classes/common.pp:251
> notice: //Node[xen-pup-dash]/common/Remote_file[/home/scripts/
> update.whoami.sh]/File[/home/scripts/update.whoami.sh]: Dependency
> file[/home/scripts] has 1 failures
> warning: //Node[xen-pup-dash]/common/Remote_file[/home/scripts/
> update.whoami.sh]/File[/home/scripts/update.whoami.sh]: Skipping
> because of failed dependencies
> ...
> ...
> ...

I'm pretty sure that the server name that the clients see doesn't match the 
name on the certificate the server is using to authenticate.  I'm not sure what 
the best way around this is.


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: puppetd stops

2010-04-21 Thread Patrick 

On Apr 21, 2010, at 12:01 PM, Kim Gert Nielsen wrote:

> 
> On Apr 21, 2010, at 8:50 PM, Patrick wrote:
> 
>> 
>> Is restarting puppet using itself supported?  I had always assumed it wasn't.
>> 
> 
> I got the example long time ago from example42 and they just added a service 
> for it. It has worked before but if its unsupported then it might be the 
> problem I have :)

I have no idea if it's supported.  I just always assumed it was a bad idea.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: puppetd stops

2010-04-21 Thread Patrick 

On Apr 21, 2010, at 5:51 AM, Ken wrote:

> More data is needed I think.
> 
> Can you run puppetd --no-daemonize --debug in 'screen' or by piping
> the output somewhere? It may give you a better clue.


First, it think your saying that the client is crashing or hanging.

My advice would be to do this with most of you computers: Use puppet to push 
out a cron job that will either fix puppet, or run puppet.  ie either have it 
just run puppet in cron, or have it run a command to make sure puppet's running 
fine every hour.

Then setup a few you can watch for debugging.  I'd do something like "puppetd 
--no-daemonize --verbose --debug --trace | tee /root/puppet.log".  As Ken said, 
running it in screen would help if you get disconnected.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: puppetd stops

2010-04-21 Thread Patrick 

On Apr 21, 2010, at 11:43 AM, Kim Gert Nielsen wrote:

> 
> On Apr 21, 2010, at 2:51 PM, Ken wrote:
> 
>> More data is needed I think.
>> 
>> Can you run puppetd --no-daemonize --debug in 'screen' or by piping
>> the output somewhere? It may give you a better clue.
>> 
> 
> debug: Service[puppet](provider=debian): Executing 'ps -ef'
> debug: Service[puppet](provider=debian): PID is 29733
> debug: Service[puppet](provider=debian): Executing '/etc/init.d/puppet 
> restart'
> notice: Caught TERM; calling stop
> 
> so it see an update to puppet.conf and runs a restart .. then it stops .. 
> then I guess the hack with 1 sec delay is not enough

Is restarting puppet using itself supported?  I had always assumed it wasn't.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] revoked host can't be re-added?

2010-04-21 Thread Patrick 

On Apr 21, 2010, at 11:30 AM, Jewels wrote:

> I have a problem I can't figure out. I was having cert problems with a
> host - it seemed to have multiple host names (mot likely from dns
> changes in the past) and all the certs were valid. Although it was
> giving an error about a cert I could not identify. So I tried:
> 
> puppetca --revoke hostname
> puppetca --clean hostname
> 
> restart puppetmaster
> 
> puppetca --list --all
> (host does not show up - good)
> 
> On client re-issue puppetd --server puppet --waitforcert 30 --test
> 
> Error is :
> 
> err: Could not retrieve catalog: Certificates were not trusted: sslv3
> alert certificate revoked
> 
> So how do I get rid of it? I can't find a cert anywhere with either a
> valid cert or revoked.. Did I do this wrong? How do you remove and re-
> add a host?

My best guess is that you didn't actually tell the client to get a new cert.  A 
trivial (and overkill) way to do that is to wipe the puppet var directory on 
the CLIENT.  It should be one of these.  
/var/puppet
/var/lib/puppet
/etc/puppet/var

Just shutdown puppet, move the directory somewhere else, and see if that fixes 
it.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] How to bring about serialization in puppet ?

2010-04-18 Thread Patrick 

On Apr 18, 2010, at 1:55 AM, Daniel Pittman wrote:

>> Any ideas as to why ruby-devel was not able to install properly during first
>> run?
> 
> Nope.  I can tell you right now that it isn't a puppet problem, though.[1]
> 
> The problem is that puppet executed ...
> 
>/usr/bin/yum -d 0 -e 0 -y install ruby-devel
> 
> ... and yum returned an error, claiming that it couldn't find a dependency of
> the package.
> 
> Fix your yum setup and puppet will start working.  (Maybe you need something
> to run a 'yum update' or something like that?)
> 
>Daniel
> 
> Footnotes: 
> [1]  Technically, it may be puppet *related* problem, since the way puppet
> invokes the yum command, or the scheduling of it, may cause the failure
> by way of some side-effect.

As a temporary workaround, try adding an entry to install ruby-libs between 
ruby-gems-install and ruby-devel.  I say temporary because this looks like a 
bug that will cause you other problems down the road if you don't find the root 
cause.

Here's one way to diagnose this.  Try running puppet on a new system in debug 
mode.  Then run those same commands yourself on a new system replacing -d 0 -e 
0 with -d 8 -e 1.  Hopefully someone will have an easier idea.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Can I specify the order classes are run?

2010-04-18 Thread Patrick 

On Apr 18, 2010, at 1:44 AM, Mr Gabriel wrote:

> I'm new to puppet, and just managed to get my puppet master working,
> and creating files.
> 
> Now I want to begin to build software 'stacks' that work across
> multiple distros.
> 
> But my limited understanding of puppet, is that a client will download
> all its instructions at once, and the execute then, can I assume that
> they will be executed in the order they appear in site.pp ?
> 

In a word, no.

I don't have time for a complete answer, but you can find it at 
http://groups.google.com/group/puppet-users/browse_thread/thread/60413b96a3bd3843/fbe7aafe140a0b0b?hl=en&lnk=gst
-Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] How to bring about serialization in puppet ?

2010-04-18 Thread Patrick 

On Apr 18, 2010, at 1:17 AM, Mayank wrote:

> On Sun, Apr 18, 2010 at 8:45 AM, Nigel Kersten  wrote:
> On Sat, Apr 17, 2010 at 6:21 PM, Douglas Garstang
>  wrote:
> > On Thu, Apr 15, 2010 at 8:44 AM, Jim Bala  wrote:
> >> On Apr 15, 2010, at 1:30 AM, Mayank wrote:
> >>
> >>> Hi,
> >>>I'm trying to manage some hosts using a single puppetmaster. I
> >>> don't know why but puppet on clients seems to be executing the recipes
> >>> hosted on puppetmaster in a random order which is breaking apart
> >>> dependencies and resulting in a failed run of puppet for first time.
> >>> If I do multiple run of puppet thru puppetd --test, everything gets
> >>> installed and configured properly. However it's very rare that on
> >>> first run I can see puppet managing the configuration and installation
> >>> without fail.
> >>>   Is there any way I can bring about serial execution of puppet
> >>> recipes. What I mean by serial execution is that suppose I've a
> >>> site.pp with following content:
> >>>
> >>> package {"ruby-devel": ensure=>latest}
> >>> package {"rubygems": ensure=>latest}
> >>> exec {"install-mysql-gem":
> >>> command=>'gem install mysql',
> >>> path=>"/bin:/usr/bin:/usr/sbin:/sbin",
> >>> require=>[ Package["ruby-devel"], Package["rubygems"]]
> >>> }
> >>>
> >>> Now in many cases puppet tries to execute Exec["install-mysql-gem"]
> >>> before Package["ruby-devel"] or Package["rubygems"] or both.
> >>>
> >>> Is there a way that I can ensure that puppet renders the file in order
> >>> the script is written ?
> >>>
> >>> BTW I'm using CentOS 5.4 with puppet-server-0.24.5-1.el5 and
> >>> puppet-0.24.5-1.el5.
> >
> > Keep at it. You'll get it all working with requires=> eventually. It
> > will take forever, your head will hurt, and by the time your done,
> > you'll have a god-aweful dependency mess that will make you totally
> > afraid to touch any of it ever again, but you'll get it eventually if
> > you keep at it! I did!
> 
> So we went there with the more complicated parts of our config, and
> then I came back to sanity, with enforcing this really really simple
> rule on all our commits. As intra-class require/before statements can
> only refer to individual resources. (by definition), the rule is that:
> 
> Inter-class require/before statements can only refer to whole classes,
> never ever individual resources within those classes.
> 
> 
> I mean this is all good programming practice, but it's not something
> people always keep in mind when putting out an ops fire and checking
> fixes in, but it really makes your dependency situation so much
> cleaner. You have well defined interfaces between objects, and you're
> free to change internal behavior as you need to without being afraid
> to touch stuff.
> 
> 
> >
> > Doug.
> >
> > 
> >
> 
> 
> 
> --
> nigel
> 
> 
> I can't take chances with re running puppet as what I am trying to accomplish 
> is complete automation of a setup on EC2. I've a script which fires up new 
> instances on EC2. These instances are built using custom AMI (machine images) 
> which have entry for puppetmaster in /etc/hosts and have puppet installed on 
> 'em. I am running puppetd --test thru rc.local and since my puppetmaster is 
> configured to autosign, hence I need this first run of puppetd --test to get 
> the job done. As entire setup is automated so I can't wait for multiple runs 
> of puppet before everything gets installed properly. I've tried to make a 
> dependency tree which should work out for me and will be testing it in next 
> 20 min  Will revert back with any updates in case something fails this 
> time... I need this first run of puppet to run without fail for me... Praying 
> to God this time to make it a success :)

If you need it to work that bad, you could probably put more than one run in 
your initialization script.  Also, if you send the second log somewhere, you 
can improve it over time.  You'll probably want to make it runs with the cache 
though if you're worried about performance.  Remember that "--test" removes 
caching.  I use "puppetd --onetime --verbose --no-daemonize".
-Patrick Mohr

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Time to scale up? : Could not call fileserver.describe: #

2010-04-14 Thread Patrick 

On Apr 14, 2010, at 8:44 AM, Jeff McCune wrote:

> On Wednesday, April 14, 2010, Dick Davies  wrote:
>> I'm getting a lot of 'connection reset' errors all of a sudden on our
>> 0.24.8 puppetmaster.
>> I'm assuming that's a load issue?
>> 
>> Number of nodes has been stable for a month or so, but a lot of them
>> were rebooted at the same time
>> yesterday so they rain down requests on the poor (untuned, webrick
>> based) puppetmaster
>> in concert every 30 minutes.
>> 
>> Quick hack is to try to manually stagger them (by shunting half the
>> node runs back 15 minutes),
>> but obviously it's time to scale this install up.
>> 
>> I was thinking of bumping to 0.25.3 (latest EPEL, puppetmaster then
>> nodes), and then switching over
>> to Passenger. Is that a sensible approach? Thanks!
> 
> I encountered similar issues with the default master and passenger has
> alleviated all of those issues for me.  I definitely reccomend
> passenger. 0.25.3 has some SSL related bugs you may want to avoid with
> 0.25.4


Upgrading your server and clients to 0.25.x will probably double your server's 
capacity.  Adding passenger mikes it much higher.  My server with passenger is 
a Pentium D with 512 Megs of Memory.  It's just fine when I tell all the 
clients to hit it at once.  Even then, the puppet runs only take twice as long. 
 (120 seconds compared to 60 seconds)


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] DNS recipes

2010-04-13 Thread Patrick 

On Apr 13, 2010, at 3:09 PM, SyRenity wrote:

> Hi.
> 
> Are there any DNS recipes for puppet?
> 
> Thanks.

DNS server or client?  If server, what server?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Puppet high-availability

2010-04-13 Thread Patrick 

On Apr 13, 2010, at 3:26 PM, SyRenity wrote:

> Hi.
> 
> I asked this question in past on this list, and now working to set it
> running.
> 
> My idea is to have 2 Puppet servers, who are also the DNS servers.
> Each one would have itself as the puppet hostname.
> Both of the servers will pull the manifests from external git repo.

I've heard of people using one DNS server and then telling the DNS server to do 
whatever magic is needed to make both puppet servers as part of a pool.  That 
will also give you a performance boost.  

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Yum repo update now causing failure in client.

2010-04-12 Thread Patrick 
It looks to me like yum itself is broken.  Try installing something using the 
yum command-line client.

On Apr 12, 2010, at 7:24 PM, dbs wrote:

> Okay, I'm stymied.  I set up a rule to kick a new .repo file out to
> my
> clients into /etc/yum.repos.d/ called 'lwm.repo'.
> 
> The rule says:
> class lwm-repos{
> 
>   file { "/etc/yum.repos.d/lwm.repo" :
>   owner => "root",
>   group => "root",
>   mode => 444,
>   source => "puppet:///lwm-repos/lwm.repo",
>   notify => Exec["updatecache"]
>   }
> 
>   exec { "updatecache" :
>   path => "/usr/bin:/usr/sbin:/bin",
>   command => "yum makecache",
>   }
> }
> 
> The .repo file was disted out, but I started getting:
> 
> Apr 12 21:29:23 bos-rep-etl01 puppetd[5135]: Caught TERM; calling stop
> Apr 12 21:29:23 bos-rep-etl01 puppetd[5486]: Reopening log files
> Apr 12 21:29:23 bos-rep-etl01 puppetd[5486]: Starting Puppet client
> version 0.25.4
> Apr 12 21:29:24 bos-rep-etl01 puppetd[5486]: Could not prefetch
> package
> provider 'yum': Execution of '/usr/bin/python
> /usr/lib/ruby/site_ruby/1.8/puppet/provider/package/yumhelper.py'
> returned 1: Traceback (most recent call last):   File
> "/usr/lib/ruby/site_ruby/1.8/puppet/provider/package/yumhelper.py",
> line
> 115, in ? ypl = pkg_lists(my)   File
> "/usr/lib/ruby/site_ruby/1.8/puppet/provider/package/yumhelper.py",
> line
> 40, in pkg_lists my.doTsSetup()   File
> "/usr/lib/python2.4/site-packages/yum/depsolve.py", line 72, in
> doTsSetup return self._getTs()   File
> "/usr/lib/python2.4/site-packages/yum/depsolve.py", line 85, in
> _getTs
>self._getTsInfo()   File
> "/usr/lib/python2.4/site-packages/yum/depsolve.py", line 91, in
> _getTsInfo self._tsInfo.setDatabases(self.rpmdb, self.pkgSack)
> File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 537, in
>  pkgSack = property(fget=lambda self: self._getSacks(),
> File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 392, in
> _getSacks s
> Apr 12 21:29:24 bos-rep-etl01 puppetd[5486]:
> (//lwm-repos/Exec[updatecache]/returns) change from notrun to 0
> failed:
> yum makecache returned 1 instead of one of [0] at
> /etc/puppet/modules/lwm-repos/manifests/init.pp:17
> Apr 12 21:29:24 bos-rep-etl01 puppetd[5486]: Finished catalog run in
> 0.54 seconds
> 
> Now I cannot make those messages DISAPPEAR.  I've disabled the Notify,
> disabled the exec block in the rule, heck even commented out the
> 'include' in the nodes.pp that includes that module.  I added
> ignorecache to the client puppetd.conf file, but no dice there either.
> 
> Questions : is this the proper way to get a .repo out onto the client
> machine?
> 
> And... what's causing this error message?
> 
> Server: CentOS 5.4 puppetmaster 0.25.4
> Client: CentOS 5.2 puppetd 0.25.4
> 
> Help please!
> 
>-d
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To post to this group, send email to puppet-us...@googlegroups.com.
> To unsubscribe from this group, send email to 
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/puppet-users?hl=en.
> 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] excluding modules from filebucketing

2010-04-08 Thread Patrick 

On Apr 8, 2010, at 11:11 PM, chakkerz wrote:

> G'day all
> 
> I've got the following two lines in my site.pp:
> 
> # Define the bucket
>filebucket { main: server => puppet }
> 
> # Specify it as the default target
>File { backup => main }
> 
> Which I added based on something in the best practices page. Thing is,
> I've got a couple of servers that are getting larger files (quite
> large actually) and they are constantly changing and i really don't
> care about the files being different, causing their clientbucket
> directory to get largish.
> 
> Is there a way to exclude the modules where i don't care about
> changes, short of nuking the current destination file before i
> transfer the new copy (i figure that might do the trick, haven't
> checked though).

This probably isn't exactly what you want, but you can always set the value of 
"backup" for individual files.  Just set it to "false" for the individual 
files.  

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Strange order dependency

2010-04-08 Thread Patrick 

On Apr 8, 2010, at 11:03 PM, chakkerz wrote:

> I think i had a similar problem some time ago. The best way around it
> (whoa that's a loaded statement : ) ) is to:
> 
> Move your recursive etc pushout into a module, and tell anything that
> also wants to write into /etc to do so with a
> require => File["/etc"],
> 
> That way your /etc/ from your preferred source is there, and
> subsequent files can write into it.
> 
> Now ... i don't recall if the recursive replace removes everything
> first, but i think it does, which really isn't what you want.

Only if you set purge => true
-Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] is puppet the right tool for me?

2010-04-08 Thread Patrick 

On Apr 8, 2010, at 7:24 AM, Evan Hisey wrote:

>> Regardless of if puppet is intended to manage multiple similar hosts, it is
>> still useful when you have a smaller number of unique hosts.
>> 
>> If every host is completely unique then you get one some benefits of puppet:
>>  * you have a single place to review your configuration
>>  * you can make changes without having to do it by hand
>>  * puppet checks nothing has changed, and puts it back if something has
>> 
>> However, I bet that all your hosts are a *lot* more alike than you think:
>>  * you probably use the same web server (apache, or so), and *mostly* have it
>>   set up the same way on each machine, right?
>>  * you probably use the same MTA on most machines
>>  * you probably use the same log watching and checking stuff on 'em all
>>  * you probably have similar needs for installing PHP and some extra PHP
>>   modules, which are usually configured more or less the same.[1]
>>  * you probably do a bunch of "install mysql, configure like this" stuff the
>>   same on each host.
>> 
> 
> You forgot a biggy bonus of puppet, no matter what size you support. I
> have several small ( as in 1-3) groups  of very different machines,
> and with puppet I can rebuild them very quickly on when they need to
> be replaced or upgraded. doing it by hand takes most of a day or 2.
> 

+1 to this.  Almost all the computers I manage have pretty simple 
configurations, but it's nice to know that with 4 commands I can wipe 
everything and bring it back to a known state.  I use a tftpinstall+preseeding 
for ubuntu.  Then puppet finishes the job.  My usecase is probably different 
from yours because most of my machines don't have data that needs to be saved 
on them.
-Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] File Size

2010-04-08 Thread Patrick 

On Apr 8, 2010, at 2:15 AM, Thomas Bellman wrote:

> Trevor Vaughan wrote:
> 
>> Mainly sugar around the call with the ability to twiddle all of the
>> useful rsync flags in a platform-agnostic manner where possible.
>> That would be truly awesome.
> 
> I have such a define in my module "nsc-puppet-utils" (available at
> http://www.nsc.liu.se/~bellman/nsc-puppet-utils.git).  You use it
> like this:
> 
>rsync_mirror {
>epel-5-x86_64:
>source => "rsync://mirrorhost/fedora-epel/5/x86_64/./",
>target => "/pkg/epel-5.x86_64",
>rsyncflags => ['--exclude', 'repoview', '--exclude', 'debug'],
>creates => "/pkg/epel-5.x86_64/repodata/repomd.xml",
>hour => 3, minute => 25;
>}
> 
> This does two things: when run the first time, it actually does
> an rsync of a directory tree.  And then it creates a cron job
> for keeping the tree synchronized with the source.  You use the
> 'creates' parameter to indicate a file that you expect to exist
> in the tree, so Puppet itself doesn't have to run rsync every
> time.  If you mirror a large tree that could take a long time,
> even if no files actually need to be transferred (I use it to
> keep a mirror of CentOS and EPEL on a cluster, so we can re-install
> our nodes anytime without being dependant on external servers).
> 
> Is this what you want?  Any suggestions for improvements?
> 

It sounds like we have very different ideas how this should work.
For me, an ideal module would use the the schedule argument, and not have 
anything to do with cron.


I wouldn't use use any of these tags, but here are more ideas while you are 
asking:
require
depends
subscribe
notify
onlyif
unless
refreshonly

-Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Trouble with Puppet+Augeas in 0.25, but not in 0.24

2010-04-07 Thread Patrick 

On Apr 4, 2010, at 3:14 AM, Peter Meier wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
>>augeas{"samba-global2":
>>context => "/files/etc/samba/smb.conf/
>> target[.='global']",
>>changes => [
>>"set workgroup MSHOME",
>>"set 'os\ level' 31",
>>],
>>}
>> }
>> 
>> This works in 0.24.8 and fails in 0.25.4.  Anyone know what change I
>> should make to get it working, or should I file a bug?
> 
> can you try without escaping the whitespace:
> 
>>"set 'os\ level' 31",
> vs.
>>"set 'os level' 31",
> 
> As augeas got some improvements in 0.25 and might finally work as
> expected, as in my opinion as you are setting single quotes the escaping
> shouldn't be required.
> And if it still fails, can you test it with 0.25.5rc1? This one got
> further improvements. You can also try to apply that recipe manually
> with the puppet-binary, so you don't have to upgrade your whole chain to
> an rc.
> 
> cheers pete

I seem to have found the exact same bug at 
http://projects.puppetlabs.com/issues/3387

Is there any way to easy way to check to see if that fix is in 0.25.5rc1?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] File Size

2010-04-07 Thread Patrick 
I second this.  Puppet will load the whole file into ram, and puppet never 
deallocates memory.  It's almost always better to move big files by putting 
them into a package or using an "Exec" type with "creates."


On Apr 7, 2010, at 10:21 AM, Daniel Kerwin wrote:

> Not sure about a limit but puppet isn't very good at transfering
> really big files. This may lead to memory problems afaik
> 
> On Wed, Apr 7, 2010 at 6:56 PM, Seeker  wrote:
>> Hi all, Just wondering, is there a limit on the file size that you can
>> transfer with PUPPET.
>> 
>> Thank you all
>> 
>> --
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To post to this group, send email to puppet-us...@googlegroups.com.
>> To unsubscribe from this group, send email to 
>> puppet-users+unsubscr...@googlegroups.com.
>> For more options, visit this group at 
>> http://groups.google.com/group/puppet-users?hl=en.
>> 
>> 
> 
> 
> 
> -- 
> 
> Cheers,
> 
> Daniel
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To post to this group, send email to puppet-us...@googlegroups.com.
> To unsubscribe from this group, send email to 
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/puppet-users?hl=en.
> 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Cannot get puppet master to sign certificate with Ubuntu 10.04

2010-04-05 Thread Patrick 

On Apr 5, 2010, at 5:23 AM, h3 wrote:

> Yeah .. this seems to be exactly my problem.
> 
> It would be nice if either the server or client could throw an
> exception to give a clue about the problem ..

I did get useful messages when I used the --verbose and --debug flags.  Usually 
puppet won't give you any useful information without one or both of those.


> I've spent last night debugging this problem and couldn't find any
> trace of errors ..

I just had a lucky guess because I had been working on an upgrade to lucid.  
Usually, people won't be able to help you much unless you have at least 
--verbose turned on.

I ended up solving the problem the other way.  I pulled the Lucid puppet and 
factor packages backwords.  I did have a backup ready though.

> On 5 avr, 05:18, Patrick  wrote:
>> On Apr 4, 2010, at 8:29 PM, h3 wrote:
>> 
>> 
>> 
>> 
>> 
>>> I have a puppet master running on a Ubuntu Hardy. I have some other
>>> Ubuntu servers and clients ranging from hardy to karmic that works
>>> fine.
>> 
>>> Now I've setuped a fresh Lucid Lynx install (10.04) and I can't get a
>>> certificate for it:
>> 
>>> Client:
>> 
>>>> sudo puppetd --waitforcert 60 --test
>> 
>>>> info: Creating a new SSL key for h3-desktop
>>>> warning: peer certificate won't be verified in this SSL session
>>>> warning: peer certificate won't be verified in this SSL session
>>>> info: Creating a new SSL certificate request for h3-desktop
>>>> warning: peer certificate won't be verified in this SSL session
>>>> warning: peer certificate won't be verified in this SSL session
>>>> warning: peer certificate won't be verified in this SSL session
>>>> warning: peer certificate won't be verified in this SSL session
>>>> notice: Did not receive certificate
>>>> warning: peer certificate won't be verified in this SSL session
>>>> notice: Did not receive certificate
>> 
>>> Server:
>> 
>>>> h...@server:/tmp$ sudo puppetca --list
>>>> No certificates to sign
>> 
>> Is the server version 0.24.x and the client is 0.25.x?  0.24 clients can 
>> connect to 0.25 servers, but not the other way around.
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To post to this group, send email to puppet-us...@googlegroups.com.
> To unsubscribe from this group, send email to 
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/puppet-users?hl=en.
> 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] How to push config from master ?

2010-04-04 Thread Patrick 
I've heard you can push config using puppet, but I've never tried it.  If 
you're interested, take a look at the command puppetrun and "puppetd --listen".
When I need to do something now on all the nodes, I use a distributed ssh 
program.  I setup the ssh server using puppet on each client.  (Client means 
puppet client.  In this case, all clients are running a webserver.)

RJust a quick reminder, if all your clients update at once instead of one at a 
time, make sure that the server that you use (puppet and/or svn) can handle the 
load of being hit by all 70 at once.  If it can't, make sure they connect 
sequentially.

On Apr 4, 2010, at 10:23 PM, jatinderg...@gmail.com wrote:

> Around 70 
> Sent via BlackBerry by AT&T
> 
> -Original Message-
> From: Patrick 
> Date: Sun, 4 Apr 2010 22:22:10 
> To: 
> Subject: Re: [Puppet Users] How to push config from master ?
> 
> 
> On Apr 4, 2010, at 9:53 PM, jatinderg...@gmail.com wrote:
> 
>> Thank you so much for the reply. I have bunch of webserver, I want to able 
>> be able run svn update to all the webserver from master. Of-course I can do 
>> cron job that runs svn update, but I would like to revert to previous 
>> version on fly if needed. So maybe I need to use that tool you are talking 
>> about ?
>> 
> 
> How many is "a bunch"?  5, 30, 100, 1000?
> 
>> 
>> -Original Message-
>> From: Patrick 
>> Date: Sun, 4 Apr 2010 21:43:45 
>> To: 
>> Subject: Re: [Puppet Users] How to push config from master ?
>> 
>> 
>> On Apr 4, 2010, at 7:00 PM, JT wrote:
>> 
>>> I am trying push configuratioin from the server. Here is the simple
>>> config
>>> 
>>> node 'client.master.com' {
>>> package { 'curl': ensure => present
>>> }
>>> }
>>> 
>>> -bash-3.2#puppet site.pp
>>> dnsdomainname: Unknown host
>>> Could not find default node or by name with 'domu-12-31-39-09-a4-
>>> c4.com, domu-12-31-39-09-a4-c4, domU-12-31-39-09-A4-C4.com,
>>> domU-12-31-39-09-A4-C4' on node domu-12-31-39-09-a4-c4.com
>>> ping client.master.com
>>> PING client.master.com (10.193.125.130) 56(84) bytes of data
>>> 64 bytes from client.master.com (10.193.125.130): icmp_seq=1 ttl=61
>>> time=0.739 ms
>>> 
>>> I can pull config from client but not able to push it from server, I
>>> get this weird DNS error. Please help
>>> 
>> 
>> I can't quite figure out what you are doing.
>> 
>> First, I'm not sure if there's a misunderstanding about terminology, or 
>> something more fundamental.  Puppet in the default configuration is based on 
>> a standard client to server model.  The server doesn't push information.  
>> Instead the client pulls information.  Sorry if I'm repeating what you 
>> already know.  (This is mostly true.  There is a command-line option that 
>> allows you to push configuration, but that probably isn't what you want 
>> right now.)
>> 
>> Now that I have that out of the way I'll continue.  In this case, the client 
>> thinks that the client's name is domU-12-31-39-09-A4-C4.com.  The manifest 
>> only lists a client called client.master.com.  There are three direct 
>> solutions:
>> *) Change something to the client thinks its name is client.master.com.
>> *) Change the manifest so it lists a configuration for 
>> *) Add a configuration for 'default' to the manifest.
>> 
>> I won't have a very good idea of which is best until I get more information 
>> about what you are doing.
>> 
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To post to this group, send email to puppet-us...@googlegroups.com.
>> To unsubscribe from this group, send email to 
>> puppet-users+unsubscr...@googlegroups.com.
>> For more options, visit this group at 
>> http://groups.google.com/group/puppet-users?hl=en.
>> 
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To post to this group, send email to puppet-us...@googlegroups.com.
>> To unsubscribe from this group, send email to 
>> puppet-users+unsubscr...@googlegroups.com.
>> For more options, visit this group at 
>> http://groups.google.com/group/puppet-users?hl=en.
>> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To

Re: [Puppet Users] How to push config from master ?

2010-04-04 Thread Patrick 

On Apr 4, 2010, at 9:53 PM, jatinderg...@gmail.com wrote:

> Thank you so much for the reply. I have bunch of webserver, I want to able be 
> able run svn update to all the webserver from master. Of-course I can do cron 
> job that runs svn update, but I would like to revert to previous version on 
> fly if needed. So maybe I need to use that tool you are talking about ?
> 

How many is "a bunch"?  5, 30, 100, 1000?

> 
> -Original Message-
> From: Patrick 
> Date: Sun, 4 Apr 2010 21:43:45 
> To: 
> Subject: Re: [Puppet Users] How to push config from master ?
> 
> 
> On Apr 4, 2010, at 7:00 PM, JT wrote:
> 
>> I am trying push configuratioin from the server. Here is the simple
>> config
>> 
>> node 'client.master.com' {
>> package { 'curl': ensure => present
>> }
>> }
>> 
>> -bash-3.2#puppet site.pp
>> dnsdomainname: Unknown host
>> Could not find default node or by name with 'domu-12-31-39-09-a4-
>> c4.com, domu-12-31-39-09-a4-c4, domU-12-31-39-09-A4-C4.com,
>> domU-12-31-39-09-A4-C4' on node domu-12-31-39-09-a4-c4.com
>> ping client.master.com
>> PING client.master.com (10.193.125.130) 56(84) bytes of data
>> 64 bytes from client.master.com (10.193.125.130): icmp_seq=1 ttl=61
>> time=0.739 ms
>> 
>> I can pull config from client but not able to push it from server, I
>> get this weird DNS error. Please help
>> 
> 
> I can't quite figure out what you are doing.
> 
> First, I'm not sure if there's a misunderstanding about terminology, or 
> something more fundamental.  Puppet in the default configuration is based on 
> a standard client to server model.  The server doesn't push information.  
> Instead the client pulls information.  Sorry if I'm repeating what you 
> already know.  (This is mostly true.  There is a command-line option that 
> allows you to push configuration, but that probably isn't what you want right 
> now.)
> 
> Now that I have that out of the way I'll continue.  In this case, the client 
> thinks that the client's name is domU-12-31-39-09-A4-C4.com.  The manifest 
> only lists a client called client.master.com.  There are three direct 
> solutions:
> *) Change something to the client thinks its name is client.master.com.
> *) Change the manifest so it lists a configuration for 
> *) Add a configuration for 'default' to the manifest.
> 
> I won't have a very good idea of which is best until I get more information 
> about what you are doing.
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To post to this group, send email to puppet-us...@googlegroups.com.
> To unsubscribe from this group, send email to 
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/puppet-users?hl=en.
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To post to this group, send email to puppet-us...@googlegroups.com.
> To unsubscribe from this group, send email to 
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/puppet-users?hl=en.
> 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] How to push config from master ?

2010-04-04 Thread Patrick 

On Apr 4, 2010, at 7:00 PM, JT wrote:

> I am trying push configuratioin from the server. Here is the simple
> config
> 
> node 'client.master.com' {
> package { 'curl': ensure => present
> }
> }
> 
> -bash-3.2#puppet site.pp
> dnsdomainname: Unknown host
> Could not find default node or by name with 'domu-12-31-39-09-a4-
> c4.com, domu-12-31-39-09-a4-c4, domU-12-31-39-09-A4-C4.com,
> domU-12-31-39-09-A4-C4' on node domu-12-31-39-09-a4-c4.com
> ping client.master.com
> PING client.master.com (10.193.125.130) 56(84) bytes of data
> 64 bytes from client.master.com (10.193.125.130): icmp_seq=1 ttl=61
> time=0.739 ms
> 
> I can pull config from client but not able to push it from server, I
> get this weird DNS error. Please help
> 

I can't quite figure out what you are doing.

First, I'm not sure if there's a misunderstanding about terminology, or 
something more fundamental.  Puppet in the default configuration is based on a 
standard client to server model.  The server doesn't push information.  Instead 
the client pulls information.  Sorry if I'm repeating what you already know.  
(This is mostly true.  There is a command-line option that allows you to push 
configuration, but that probably isn't what you want right now.)

Now that I have that out of the way I'll continue.  In this case, the client 
thinks that the client's name is domU-12-31-39-09-A4-C4.com.  The manifest only 
lists a client called client.master.com.  There are three direct solutions:
*) Change something to the client thinks its name is client.master.com.
*) Change the manifest so it lists a configuration for 
*) Add a configuration for 'default' to the manifest.

I won't have a very good idea of which is best until I get more information 
about what you are doing.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Cannot get puppet master to sign certificate with Ubuntu 10.04

2010-04-04 Thread Patrick 

On Apr 4, 2010, at 8:29 PM, h3 wrote:

> I have a puppet master running on a Ubuntu Hardy. I have some other
> Ubuntu servers and clients ranging from hardy to karmic that works
> fine.
> 
> Now I've setuped a fresh Lucid Lynx install (10.04) and I can't get a
> certificate for it:
> 
> Client:
> 
>> sudo puppetd --waitforcert 60 --test
>> 
>> info: Creating a new SSL key for h3-desktop
>> warning: peer certificate won't be verified in this SSL session
>> warning: peer certificate won't be verified in this SSL session
>> info: Creating a new SSL certificate request for h3-desktop
>> warning: peer certificate won't be verified in this SSL session
>> warning: peer certificate won't be verified in this SSL session
>> warning: peer certificate won't be verified in this SSL session
>> warning: peer certificate won't be verified in this SSL session
>> notice: Did not receive certificate
>> warning: peer certificate won't be verified in this SSL session
>> notice: Did not receive certificate
> 
> Server:
> 
>> h...@server:/tmp$ sudo puppetca --list
>> No certificates to sign

Is the server version 0.24.x and the client is 0.25.x?  0.24 clients can 
connect to 0.25 servers, but not the other way around.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Trouble with Puppet+Augeas in 0.25, but not in 0.24

2010-04-04 Thread Patrick 

On Apr 4, 2010, at 3:14 AM, Peter Meier wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
>>augeas{"samba-global2":
>>context => "/files/etc/samba/smb.conf/
>> target[.='global']",
>>changes => [
>>"set workgroup MSHOME",
>>"set 'os\ level' 31",
>>],
>>}
>> }
>> 
>> This works in 0.24.8 and fails in 0.25.4.  Anyone know what change I
>> should make to get it working, or should I file a bug?
> 
> can you try without escaping the whitespace:
> 
>>"set 'os\ level' 31",
> vs.
>>"set 'os level' 31",
> 
> As augeas got some improvements in 0.25 and might finally work as
> expected, as in my opinion as you are setting single quotes the escaping
> shouldn't be required.
> And if it still fails, can you test it with 0.25.5rc1? This one got
> further improvements. You can also try to apply that recipe manually
> with the puppet-binary, so you don't have to upgrade your whole chain to
> an rc.
> 
> cheers pete

I tried 0.25.5rc1 from 
http://puppetlabs.com/downloads/puppet/puppet-0.25.5rc1.tar.gz and here's the 
output.  It's still got the same error as 0.25.4:

r...@simba:~/puppet_testing/puppet-0.25.5rc1/bin# ./puppet /root/init.pp 
--verbose --debug
debug: Creating default schedules
debug: Failed to load library 'selinux' for feature 'selinux'
debug: Puppet::Type::User::ProviderLdap: true value when expecting false
debug: Puppet::Type::User::ProviderPw: file pw does not exist
debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does not exist
debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does 
not exist
debug: Failed to load library 'ldap' for feature 'ldap'
debug: /File[/var/lib/puppet/state/state.yaml]: Autorequiring 
File[/var/lib/puppet/state]
debug: /File[/var/lib/puppet/ssl/private_keys/simba.outer.pem]: Autorequiring 
File[/var/lib/puppet/ssl/private_keys]
debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/ssl/crl.pem]: Autorequiring 
File[/var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring 
File[/var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring 
File[/var/lib/puppet/ssl/certs]
debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring 
File[/var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/ssl/public_keys/simba.outer.pem]: Autorequiring 
File[/var/lib/puppet/ssl/public_keys]
debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/ssl/csr_simba.outer.pem]: Autorequiring 
File[/var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring 
File[/var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/state/graphs]: Autorequiring 
File[/var/lib/puppet/state]
debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/ssl/private]: Autorequiring 
File[/var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/state/classes.txt]: Autorequiring 
File[/var/lib/puppet/state]
debug: /File[/var/lib/puppet/ssl/certs/simba.outer.pem]: Autorequiring 
File[/var/lib/puppet/ssl/certs]
debug: /File[/var/lib/puppet/client_yaml]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/clientbucket]: Autorequiring File[/var/lib/puppet]
debug: Finishing transaction -618469398 with 0 changes
info: Applying configuration version '1270401710'
debug: Augeas[samba-global2](provider=augeas): Opening augeas with root /, lens 
path , flags 0
debug: Augeas[samba-global2](provider=augeas): Augeas version 0.5.1 is installed
debug: Augeas[samba-global2](provider=augeas): Will attempt to save and only 
run if files changed
debug: Augeas[samba-global2](provider=augeas): sending command 'set' with 
params ["/files/etc/samba/smb.conf/target[.='global']/workgroup", "MSHOME"]
debug: Augeas[samba-global2](provider=augeas): sending command 'set' with 
params ["/files/etc/samba/smb.conf/target[.='global']/'os", "level'"]
debug: Augeas[samba-global2](provider=augeas): Files changed, should execute
debug: Augeas[samba-global2](provider=augeas): Closed the augeas connection
debug: //Augeas[samba-global2]: Changing returns
debug: //Augeas[samba-global2]: 1 change(s)
debug: Augeas[samba-global2](provider=augeas): Opening augeas with root /, lens 
path , flags 0
debug: Augeas[samba-global2](provider=augeas): Augeas version 0.5.1 is installed
debug: Augeas[samba-global2](provider=augeas): sending command 'set' with 
params ["/files/etc/samba/smb.conf/target[.='global']/workgroup", "MSHOME"]
debug: Augeas[samba-global2](provider=augeas): sending command 'set' with 
params ["/files/etc/samba/smb.conf/target[.='global']/'os", "level'"]
debug: Augeas[samba-global2](provider=augeas): Cl

Re: [Puppet Users] Trouble with Puppet+Augeas in 0.25, but not in 0.24

2010-04-04 Thread Patrick 

On Apr 4, 2010, at 3:14 AM, Peter Meier wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
>>augeas{"samba-global2":
>>context => "/files/etc/samba/smb.conf/
>> target[.='global']",
>>changes => [
>>"set workgroup MSHOME",
>>"set 'os\ level' 31",
>>],
>>}
>> }
>> 
>> This works in 0.24.8 and fails in 0.25.4.  Anyone know what change I
>> should make to get it working, or should I file a bug?
> 
> can you try without escaping the whitespace:
> 
>>"set 'os\ level' 31",
> vs.
>>"set 'os level' 31",
> 
> As augeas got some improvements in 0.25 and might finally work as
> expected, as in my opinion as you are setting single quotes the escaping
> shouldn't be required.
> And if it still fails, can you test it with 0.25.5rc1? This one got
> further improvements. You can also try to apply that recipe manually
> with the puppet-binary, so you don't have to upgrade your whole chain to
> an rc.
> 
> cheers pete


First, since it seems like exact version matters more than I thought, I'm using 
0.25.4-2ubuntu4.

Here are the relevant lines from the client's log with the backslash removed.  
It's not working because puppet is trying to set "os"="level" instead of "os 
level"="31"

debug: Augeas[samba-global2](provider=augeas): sending command 'set' with 
params ["/files/etc/samba/smb.conf/target[.='global']/workgroup", "MSHOME"]
debug: Augeas[samba-global2](provider=augeas): sending command 'set' with 
params ["/files/etc/samba/smb.conf/target[.='global']/'os", "level'"]

debug: Augeas[samba-global2](provider=augeas): sending command 'set' with 
params ["/files/etc/samba/smb.conf/target[.='global']/workgroup", "MSHOME"]
debug: Augeas[samba-global2](provider=augeas): sending command 'set' with 
params ["/files/etc/samba/smb.conf/target[.='global']/'os", "level'"]


Full output at http://pastie.org/902773

I'll try 0.25.5 later today.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Trouble with Puppet+Augeas in 0.25, but not in 0.24

2010-04-03 Thread Patrick (kc7zzv) 
After upgrading to puppet 0.25.4, I have not been able to get Augeas
recipes to work if the path has a space.  Here's an example:

class samba-server {

augeas{"samba-global2":
context => "/files/etc/samba/smb.conf/
target[.='global']",
changes => [
"set workgroup MSHOME",
"set 'os\ level' 31",
],
}
}

This works in 0.24.8 and fails in 0.25.4.  Anyone know what change I
should make to get it working, or should I file a bug?

0.24.8 working:
http://pastie.org/902320

0.25.4 not working:
http://pastie.org/902322

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Uncaught exception failed to allocate memory

2010-04-02 Thread Patrick 
Puppet just doesn't work well moving big files.  Also, 0.24 is much worse for 
this than 0.25.  Using an apt repository or wget in an exec would probably be 
better.  If you really want to try to make this work your way, here are two 
things to check though:
1) Is the puppet-setup directory being created before you pull he file?
2) Is the file in a module, if so you need to put the module name in the file 
path.


Here's an easy way to create a custom repository:
http://nerdica.com/?p=43

A second option is using wget.  The wget recipe would look something like this 
(pesudo-code):

Exec { "wget http://servername/ruby-enterprise_1.8.7-2010.01_amd64.deb":
creates => "/root/puppet-setup/ruby-enterprise_1.8.7-2010.01_amd64.deb",
working_path => "/root/puppet-setup/",
}


-Patrick Mohr

On Apr 2, 2010, at 5:23 AM, Marcelo Barbudas wrote:

> Hi!
> 
> I have a recipe that's supposed to download ree from a master and
> install it. It looks like:
> 
># Install ree
>file { "/root/puppet-setup/ruby-
> enterprise_1.8.7-2010.01_amd64.deb":
>  source => "puppet://$servername/files/ruby-
> enterprise_1.8.7-2010.01_amd64.deb",
>  mode   => 0644, owner => root, group => root,
>  notify => Exec[ree-install],
>  ensure => present,
>}
> 
> exec { ree-install:
>command => "/usr/bin/dpkg -i /root/puppet-setup/ruby-
> enterprise_1.8.7-2010.01_amd64.deb",
>refreshonly => true,
>require => [ File["/root/puppet-setup/ruby-
> enterprise_1.8.7-2010.01_amd64.deb"] ],
> }
> 
> 
> When I try to run this I get the error in the subject:
> 
> info: Caching catalog at /var/lib/puppet/state/localconfig.yaml
> notice: Starting catalog run
> err: //Node[default]/lenny/default-class/base/File[/root/puppet-setup/
> ruby-enterprise_1.8.7-2010.01_amd64.deb]/ensure: change from absent to
> file failed: Could not retrieve /files/ruby-
> enterprise_1.8.7-2010.01_amd64.deb: Uncaught exception failed to
> allocate memory in method fileserver.retrieve at /etc/puppet/manifests/
> classes/base.pp:36
> notice: //Node[default]/lenny/default-class/base/Exec[ree-install]:
> Dependency file[/root/puppet-setup/ruby-
> enterprise_1.8.7-2010.01_amd64.deb] has 1 failures
> warning: //Node[default]/lenny/default-class/base/Exec[ree-install]:
> Skipping because of failed dependencies
> notice: //Node[default]/lenny/default-class/apt-setup/Exec[apt-update]/
> returns: executed successfully
> notice: //Node[default]/lenny/default-class/base/Exec[debian-backports-
> keyring]/returns: executed successfully
> notice: Finished catalog run in 106.13 seconds
> 
> The puppet slave is a vmware Debian with 512MB ram. Ree is 17MB.
> Puppet version is Debian stable 0.24.5-3
> 
> --
> M.
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To post to this group, send email to puppet-us...@googlegroups.com.
> To unsubscribe from this group, send email to 
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/puppet-users?hl=en.
> 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Inline include

2010-03-19 Thread Patrick 

On Mar 19, 2010, at 5:05 PM, Douglas Garstang wrote:

> On Fri, Mar 19, 2010 at 4:51 PM, Patrick  wrote:
>> 
>> On Mar 19, 2010, at 4:36 PM, Douglas Garstang wrote:
>> 
>>> I've already broken it down as much as I can. The bottom class is
>>> calling the same definition 10 times to set up 10 instances of jboss
>>> on a single system, and another definition is running 10 times to
>>> setup 10 instances of tomcat on the same server (don't blame me...
>>> it's the way our software was built). So I can't really subclass
>>> that. It would be nice for clarity to break each definition into a
>>> separate file however. Poo.
>>> 
>>> Doug.
>>> 
>> 
>> I misunderstood the problem.  Here's something else that might be what you 
>> want.  You can "import" a .pp file.  You could put each computer in it's own 
>> computername.pp and include them all in nodes.pp or site.pp.  That's why 
>> nodes.pp is read.  This would all be in the manifests folder.  For instance, 
>> putting this:
>> 
>> import "nodes"
>> 
>> in site.pp will do something closer to what most people think of as 
>> "include" than the puppet include.  That what you want?
> 
> Patrick,
> 
> Hmmm tried that and it's doing something weird. I put an import
> "foo.pp" into my node file, and it looks like puppet is trying to auto
> import that foo.pp for every single node.
> 
> ie, I am seeing this...
> 
> Could not retrieve catalog: Puppet::Parser::AST::Resource failed with
> error ArgumentError: Duplicate definition: Elements::Customer[tfel0]
> is already defined in file
> /etc/puppet/manifests/nodes/fr.xxx.com/foo.pp at line 12; cannot
> redefine at /etc/puppet/manifests/nodes/fr.xxx.com/app07.pp:175 on
> node app07.fr.xxx.com
> 
> The app07.pp file doesn't even import foo.pp! It's in app01.pp. Bizarre.
> 
> Doug

Sounds like a communications problem between us.  Here's a more complete 
example.  Keep in mind that this isn't making anything much simpler.  It just 
moves it into more files.  Also, every node sees every file.

site.pp:
#global site definitions
import "nodes"
#end site.pp--


nodes.pp:
import "computer1"
import "computer2"
#end node.pp--


computer1.pp:
node
'computer1.domain'
{
include module1
include module2
}
#end computer1.pp--


computer2.pp:
node
'computer2.domain'
{
include module2
include module3
}
#end computer2.pp--


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Inline include

2010-03-19 Thread Patrick 

On Mar 19, 2010, at 4:36 PM, Douglas Garstang wrote:

> I've already broken it down as much as I can. The bottom class is
> calling the same definition 10 times to set up 10 instances of jboss
> on a single system, and another definition is running 10 times to
> setup 10 instances of tomcat on the same server (don't blame me...
> it's the way our software was built). So I can't really subclass
> that. It would be nice for clarity to break each definition into a
> separate file however. Poo.
> 
> Doug.
> 

I misunderstood the problem.  Here's something else that might be what you 
want.  You can "import" a .pp file.  You could put each computer in it's own 
computername.pp and include them all in nodes.pp or site.pp.  That's why 
nodes.pp is read.  This would all be in the manifests folder.  For instance, 
putting this:

import "nodes"

in site.pp will do something closer to what most people think of as "include" 
than the puppet include.  That what you want?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Inline include

2010-03-19 Thread Patrick 
On Mar 19, 2010, at 4:19 PM, Douglas Garstang wrote:

> My node manifests are getting rather large.
> 
> Is there a way I can inline include a file into a node manifest? I'd
> like to break the node manifest into smaller parts. Note, this is NOT
> a module include I am looking for.

I don't know how to do that, but this might solve your problem.

I usually put all or almost all the modules to be included into base classes.  
Some of these classes include others, and then the nodes include them.  This 
keeps my node definitions small.  Here's an example:


class base-loadset {
include aptcacher-client #Get apt updates from the apt cache
include auto-updates #automatically get updates
include base-accounts
include base-packages
include local-apt
include puppet-conf
}

class client-base-loadset {
include base-loadset

include ntp-client
include student-packages
include oaks
}

class server-base-loadset {
include base-loadset

include ntp-server
include samba-server
}



node
'basicserver1.domain',
'basicserver2.domain',
{
include server-base-loadset
}

node
'webserver1.domain',
{
include server-base-loadset
include apache-server
}


node
'client1.domain',
'client2.domain',
{
include client-base-loadset
}


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Puppet freezes in the middle of runs

2010-03-18 Thread Patrick 

On Mar 18, 2010, at 12:24 PM, Thomas wrote:

> Looking into it more, I think I found the root of the problem. The
> following is a snippet from my puppet configuration:
> 
>  # create /var/log/mysql/archived_logs
>  file { "archived_logs":
>   path=> "/var/log/mysql/archived_logs",
>   ensure  => directory,
>   mode=> 775,
>   owner   => "mysql",
>   group   => "mysql",
>   recurse => "true",
>   require => File[mysql_log]
>  }
> 
> What I see happening in strace is puppet trying to read in data from
> one of the files in the archived_logs directory. Did I make a mistake
> in my configuration here?
> 

What exactly are you trying to do here?  Are you trying to push logs from the 
server to the clients?  If not, why do you have "recurse => true"?  If you are 
trying to push permissions, this isn't a good way to do it.  Sadly, Puppet is 
slow enough that an exec with "chown -R mysql:mysql 
/var/log/mysql/archived_logs" and a "chmod -R ..." would probably be much 
faster.

One wild guess would be that a file in that folder is locked, and puppet is 
blocking on trying to do something to that file.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] dependencies

2010-03-17 Thread Patrick 
How is that different from the example you're quoting?  Can't you just put 
whatever's in that as a global dependency for Package?

On Mar 17, 2010, at 4:35 PM, Christopher Johnston wrote:

> I guess my only gripe here is I have about 2 dozen modules most of install 
> some form of a pkg from yum.  So they all have a direct dependency on my yum 
> module to do the right thing.  I would hate to have to put a require in every 
> single instance that I call the method to install a pkg.  Any ideas on on how 
> to simplify this to ensure yum is the very first thing that gets configured 
> on my system?
> 
>require => [ Class["yum"],
> 
> On Tue, Mar 9, 2010 at 5:51 PM, Patrick  wrote:
> 
> On Mar 9, 2010, at 5:26 AM, Christopher Johnston wrote:
> 
> > For example I have a yum module that sets yum configs up, but obviously I 
> > have other modules that depend on the installation of that yum module in 
> > order to use it to install rpms.
> 
> I do the same thing with apt.  To solve this, I set the files that need to be 
> set at the global dependency for all packages.  Here's an example.
> 
> Package { require => Exec["post-proxy-update"] }
> 
>file { "/etc/apt/apt.conf.d/01proxy":
>owner   => root,
>group   => root,
>mode=> 644,
>source  => "puppet:///aptcacher-client/01proxy",
>}
> 
>exec { "/usr/bin/apt-get update":
>alias   => "post-proxy-update",
>subscribe   => [ File["/etc/apt/apt.conf.d/01proxy"], 
> File["/etc/apt/sources.list.d/simba.list"] ],
>require => [ File["/etc/apt/apt.conf.d/01proxy"], 
> File["/etc/apt/sources.list.d/simba.list"] ],
>refreshonly => true,
>}
> 
>file { "/etc/apt/sources.list.d/simba.list":
>owner   => root,
>group   => root,
>mode=> 644,
>source  => "puppet:///local-apt/simba.list",
>}
> 
> --
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To post to this group, send email to puppet-us...@googlegroups.com.
> To unsubscribe from this group, send email to 
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/puppet-users?hl=en.
> 
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To post to this group, send email to puppet-us...@googlegroups.com.
> To unsubscribe from this group, send email to 
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/puppet-users?hl=en.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] disable ssl

2010-03-15 Thread Patrick 

On Mar 15, 2010, at 8:26 AM, Ohad Levy wrote:

> ssl has nothing to do with mongrel or passenger, as ssl is handled in apache 
> (or ngnix).
> 
> as far as it goes for SSL, you have two options:
> 1. a single CA
> 2. CA chain hierarchy.
> 
> the first option is simple, one of your puppetmasters will be your CA, and 
> every sign will run on it, you would require it for any new certs that are 
> introduced to your setup.
> 
> the second option works as well, and is described at 
> http://projects.reductivelabs.com/projects/puppet/wiki/Puppet_Scalability 
> under  Centralised_Puppet_Infrastructure

What about creating one certificate authority using puppet and then manually 
copying to all the servers as a temporary solution?  The two problems I see are:
1) The CRL doesn't work due to duplicate serial numbers.
2) Not having the server's real name in the root might be a problem if all your 
clients don't use just puppet for the hostname.

Is this actually likely to work?

> if you can afford using a single machine for signing your certs, I would 
> recommend you going to option 1 (as someone using option 2 for a few years 
> now).
> 
> Cheers,
> Ohad

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Puppet 100% CPU usage

2010-03-12 Thread Patrick 

On Mar 12, 2010, at 3:30 AM, DieterVDW wrote:

> The problem is, I -am- using apt!
> Those files are downloaded and installed using apt, I just want puppet
> to make sure they are owned by a certain user and group.
> That's the only thing puppet needs to do.
> 

I didn't read the bug report before my last reply.  I know this isn't what you 
want, but how about adding chown to the Makefile used to generate the deb.  
Also, you could just run chown using Exec.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Puppet 100% CPU usage

2010-03-12 Thread Patrick 

On Mar 12, 2010, at 1:18 AM, DieterVDW wrote:

> I just want this resource to make sure that all files in the directory
> are owned by user and group $username.
> /some/data/dir contains 300M in 6000+ files.
> 

Puppet doesn't handle a folder with lots of files well.  It handles large files 
even worse.  The standard advice is "Try putting the files in a package and 
distributing them using apt."  Another common answer is to try combining exec 
and rsync.  I ended up using apt.  Here are the tutorials I used:

How to create a Ubuntu repository:
http://nerdica.com/?p=43

How to create packages:
http://www.debian-administration.org/articles/336

Good luck.  I hope you get it working.  With luck it's a bug that will get 
fixed.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] DNS issues?

2010-03-10 Thread Patrick 

On Mar 10, 2010, at 6:54 AM, Brian Keifer wrote:

> 
> On Mar 9, 2010, at 5:50 PM, Patrick wrote:
> 
>> 
>> On Mar 9, 2010, at 1:59 PM, Brian Keifer wrote:
>> 
>>> 
>>> On Mar 9, 2010, at 4:57 PM, Patrick wrote:
>>> 
>>>> 
>>>> On Mar 9, 2010, at 6:36 AM, Brian Keifer wrote:
>>>> 
>>>>> 
>>>>> On Mar 9, 2010, at 12:17 AM, Dan Bode wrote:
>>>>> 
>>>>>> 
>>>>>> 1. Check the source attribute assignment.
>>>>>> 
>>>>>> source => puppet:///modules/stats/denora.conf
>>>>>> 
>>>>>> the third slash means use same server address as the server we connected 
>>>>>> to.
>>>>>> 
>>>>>> maybe its hardcoded to be the server name?
>>>>>> 
>>>>>> 2. you could also try:
>>>>>> 
>>>>>> [puppetmasterd]
>>>>>> certdnsnames=badger.valinor.net
>>>>>> 
>>>>>> on the server if you need this name to be accepted by the cert.
>>>>>> 
>>>>> 
>>>>> Thanks!  I had been using source => 
>>>>> "puppet://$servername/module/path/filename.ext".  I switched to 
>>>>> puppet:/// and added the certdnsnames line to my puppetmaster's config 
>>>>> file.  My config looks a bit cleaner, but I'm still getting the random 
>>>>> errors on my file definitions:
>>>>> 
>>>>> err: //inspircd/File[/home/procrast/inspircd/conf/modules.conf]: Failed 
>>>>> to retrieve current state of resource: undefined method `closed?' for 
>>>>> nil:NilClass Could not retrieve file metadata for 
>>>>> puppet:///inspircd/modules.conf: undefined method `closed?' for 
>>>>> nil:NilClass at /etc/puppet/modules/inspircd/manifests/init.pp:15
>>>>> 
>>>>> From several test runs with:
>>>>> 
>>>>>   puppetd --server puppet.procrast.net --fqdn badger.procrast.net 
>>>>> --no-daemonize --onetime --verbose
>>>>> 
>>>>> I get between 3 and 9 of these errors each time, always a different 
>>>>> subset of my files.  These same files serve properly to my other two 
>>>>> clients.
>>>>> 
>>>>> I don't get it.
>>>> 
>>>> This might be related to http://projects.reductivelabs.com/issues/3083.  
>>>> Try using "puppetca --list --all" on the server and check if those clients 
>>>> are in the list.  If they are not in the list, it's probably that bug.
>>>> -Patrick
>>>> 
>>> 
>>> The problem client does appear to be listed.
>>> 
>>> [r...@badger /etc/puppet]# puppetca --list --all
>>> + badger.procrast.net
>>> + puppet.procrast.net
>> 
>> Does puppetca show the other clients (that work) as being in the same 
>> domain?  Also, take a look at /etc/puppet/fileserver.conf.
>> 
> 
> Yep.  They all show .procrast.net addresses.  My fileserver.conf is quite 
> basic at the moment.  It's got the path to the files for each module and an 
> "allow *" for each.
> 
> I believe the fileserver.conf is set up correctly, as the problems are 
> sporadic.  On one run a file may fail, but on the other runs it copies 
> properly.  Additionally, the other two clients that are not on the same 
> machine as the fileserver have no issues at all.
> 
> Thanks!

I really have no idea what's wrong.  Here's some standard troubleshooting ideas 
that I would try.

Here are a couple of things to compare between clients that work and clients 
that don't:
What version of puppet are they using?
Is the path to the server complicated?  (How many router hops? is there 
a natting firewall in between?  High latency?  Packet loss?)
What OS are you using?


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] DNS issues?

2010-03-09 Thread Patrick 

On Mar 9, 2010, at 1:59 PM, Brian Keifer wrote:

> 
> On Mar 9, 2010, at 4:57 PM, Patrick wrote:
> 
>> 
>> On Mar 9, 2010, at 6:36 AM, Brian Keifer wrote:
>> 
>>> 
>>> On Mar 9, 2010, at 12:17 AM, Dan Bode wrote:
>>> 
>>>> 
>>>> 1. Check the source attribute assignment.
>>>> 
>>>> source => puppet:///modules/stats/denora.conf
>>>> 
>>>> the third slash means use same server address as the server we connected 
>>>> to.
>>>> 
>>>> maybe its hardcoded to be the server name?
>>>> 
>>>> 2. you could also try:
>>>> 
>>>> [puppetmasterd]
>>>> certdnsnames=badger.valinor.net
>>>> 
>>>> on the server if you need this name to be accepted by the cert.
>>>> 
>>> 
>>> Thanks!  I had been using source => 
>>> "puppet://$servername/module/path/filename.ext".  I switched to puppet:/// 
>>> and added the certdnsnames line to my puppetmaster's config file.  My 
>>> config looks a bit cleaner, but I'm still getting the random errors on my 
>>> file definitions:
>>> 
>>> err: //inspircd/File[/home/procrast/inspircd/conf/modules.conf]: Failed to 
>>> retrieve current state of resource: undefined method `closed?' for 
>>> nil:NilClass Could not retrieve file metadata for 
>>> puppet:///inspircd/modules.conf: undefined method `closed?' for 
>>> nil:NilClass at /etc/puppet/modules/inspircd/manifests/init.pp:15
>>> 
>>> From several test runs with:
>>> 
>>> puppetd --server puppet.procrast.net --fqdn badger.procrast.net 
>>> --no-daemonize --onetime --verbose
>>> 
>>> I get between 3 and 9 of these errors each time, always a different subset 
>>> of my files.  These same files serve properly to my other two clients.
>>> 
>>> I don't get it.
>> 
>> This might be related to http://projects.reductivelabs.com/issues/3083.  Try 
>> using "puppetca --list --all" on the server and check if those clients are 
>> in the list.  If they are not in the list, it's probably that bug.
>> -Patrick
>> 
> 
> The problem client does appear to be listed.
> 
> [r...@badger /etc/puppet]# puppetca --list --all
> + badger.procrast.net
> + puppet.procrast.net

Does puppetca show the other clients (that work) as being in the same domain?  
Also, take a look at /etc/puppet/fileserver.conf.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] How to efficiently manage multiple packages installing in the same directory

2010-03-09 Thread Patrick 

On Mar 9, 2010, at 11:41 AM, Mathew Binkley wrote:

> Hi everyone.  I am trying to manage several different packages using
> Puppet.  For the sake of maintainability, each package is installed in
> its own separate puppet directory.  Each package would have a separate
> install_package.pp script and corresponding folder in /etc/puppet/
> files on the server:
> 
>/etc/puppet/files/foo/
> etc/
> root/
> usr/local
> 
>   /etc/puppet/files/bar/
> etc/
> var/lib
> 
> To avoid micromanaging, I would like to simply copy over the contents
> of each folder to / on the client.  While each package has directories
> in common (/etc for example), all of the files in each package are
> orthogonal and not shared between packages.  For example, package foo
> will be the only package that will ever install /etc/foo.conf.
> Package bar will never manage it.
> 

Can't you split it into stuff that changes and stuff that doesn't, and then put 
the stuff that doesn't change into a package.  Then put what ever changes into 
sub directories?

If that doesn't work, you could copy and extract a tar file with something like 
this:

#Don't use /tmp because some distro's nuke that at startup.
#/var/puppet_tmp/ won't exist.  Make sure you create it.
   file { "/var/puppet_tmp/test.tar.gz":
owner => "root",
group => "root",
mode => 750,
source => "puppet:///module_name/test.tar.gz",
require => File["/var/puppet_tmp"]
}

exec { "/bin/tar -xvz /var/puppet_tmp/test.tar.gz":
cwd => "/",
subscribe => File["/var/puppet_tmp/test.tar.gz"],
require => File["/var/puppet_tmp/test.tar.gz"]
}

If you do that a lot, wrapping it in a define shouldn't be too hard.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] DNS issues?

2010-03-09 Thread Patrick 

On Mar 9, 2010, at 6:36 AM, Brian Keifer wrote:

> 
> On Mar 9, 2010, at 12:17 AM, Dan Bode wrote:
> 
>> 
>> 1. Check the source attribute assignment.
>> 
>> source => puppet:///modules/stats/denora.conf
>> 
>> the third slash means use same server address as the server we connected to.
>> 
>> maybe its hardcoded to be the server name?
>> 
>> 2. you could also try:
>> 
>> [puppetmasterd]
>>   certdnsnames=badger.valinor.net
>> 
>> on the server if you need this name to be accepted by the cert.
>> 
> 
> Thanks!  I had been using source => 
> "puppet://$servername/module/path/filename.ext".  I switched to puppet:/// 
> and added the certdnsnames line to my puppetmaster's config file.  My config 
> looks a bit cleaner, but I'm still getting the random errors on my file 
> definitions:
> 
> err: //inspircd/File[/home/procrast/inspircd/conf/modules.conf]: Failed to 
> retrieve current state of resource: undefined method `closed?' for 
> nil:NilClass Could not retrieve file metadata for 
> puppet:///inspircd/modules.conf: undefined method `closed?' for nil:NilClass 
> at /etc/puppet/modules/inspircd/manifests/init.pp:15
> 
> From several test runs with:
> 
>   puppetd --server puppet.procrast.net --fqdn badger.procrast.net 
> --no-daemonize --onetime --verbose
> 
> I get between 3 and 9 of these errors each time, always a different subset of 
> my files.  These same files serve properly to my other two clients.
> 
> I don't get it.

This might be related to http://projects.reductivelabs.com/issues/3083.  Try 
using "puppetca --list --all" on the server and check if those clients are in 
the list.  If they are not in the list, it's probably that bug.
-Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] dependencies

2010-03-09 Thread Patrick 

On Mar 9, 2010, at 5:26 AM, Christopher Johnston wrote:

> For example I have a yum module that sets yum configs up, but obviously I 
> have other modules that depend on the installation of that yum module in 
> order to use it to install rpms.

I do the same thing with apt.  To solve this, I set the files that need to be 
set at the global dependency for all packages.  Here's an example.

Package { require => Exec["post-proxy-update"] }

file { "/etc/apt/apt.conf.d/01proxy":
owner   => root,
group   => root,
mode=> 644,
source  => "puppet:///aptcacher-client/01proxy",
}

exec { "/usr/bin/apt-get update":
alias   => "post-proxy-update",
subscribe   => [ File["/etc/apt/apt.conf.d/01proxy"], 
File["/etc/apt/sources.list.d/simba.list"] ],
require => [ File["/etc/apt/apt.conf.d/01proxy"], 
File["/etc/apt/sources.list.d/simba.list"] ],
refreshonly => true,
}

file { "/etc/apt/sources.list.d/simba.list":
owner   => root,
group   => root,
mode=> 644,
source  => "puppet:///local-apt/simba.list",
}

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] exec -> creates question

2010-03-05 Thread Patrick 

On Mar 5, 2010, at 8:46 AM, Allan Marcus wrote:

> The method you suggest is how we were first going to do a "one time script", 
> but then we saw the "creates" parameter. 
> 
> What is the Creates parameter for then? Is it just redundant to [unless => 
> "test -e MYFILE"]
> 
> ---
> 

Mostly, it's just a nicer syntax.  Also, make sure that the command won't hose 
you computer if run twice.  It's always possible that the puppet run will stop 
before the file is created.

> 
> 
> 
> On Mar 4, 2010, at 2:36 PM, Steven VanDevender wrote:
> 
>> Pete Emerson writes:
>>> If you don't care about the contents of the file, just whether it's
>>> there or not:
>>> 
>>> unless => "/usr/bin/file MYFILE"
>>> 
>>> or
>>> 
>>> unless => "/usr/bin/stat MYFILE"
>>> 
>>> or
>>> 
>>> unless => "/bin/ls MYFILE"
>>> 
>>> should all be pretty lightweight
>> 
>> Actually, if all "unless" looks at is the return code of the command I
>> would probably go with
>> 
>> unless => "test -e MYFILE"
>> 
>> If you use "test" you could also do more sophisticated things like
>> require the presence of a real file with "-f" and combine other tests for
>> permissions or ownership.
>> 
>>> On Thu, Mar 4, 2010 at 12:06 PM, Patrick  wrote:
>>>> 
>>>> On Mar 4, 2010, at 7:29 AM, Allan Marcus wrote:
>>>> 
>>>>> A file that this command creates.  If this
>>>>>   parameter is provided, then the command will only be run
>>>>>   if the specified file does not exist::
>>>>> 
>>>>>   exec { \"tar xf /my/tar/file.tar\":
>>>>>   cwd => \"/var/tmp\",
>>>>>   creates => \"/var/tmp/myfile\",
>>>>>   path => [\"/usr/bin\", \"/usr/sbin\"]
>>>>>   }
>>>>> 
>>>>> 
>>>>> Is there a way to set the content of this file (/var/tmp/myfile) using 
>>>>> some additional parameter in the above syntax?
>>>> 
>>>> This isn't the "right" way to do it, and you may have performance issues 
>>>> depending on the size of the file, but you can always combine grep with 
>>>> unless.
>>>> 
>>>> If you want to re-extract the file if the file doesn't contain 
>>>> "testString" this should work.
>>>> 
>>>> exec { "tar xf /my/tar/file.tar":
>>>>   cwd => "/var/tmp",
>>>>   creates => "/var/tmp/myfile",
>>>>   path => ["/usr/bin", "/usr/sbin"],
>>>>   unless => "grep testString myfile",
>>>> }
>>>> 
>>>> 
>>>> --
>>>> You received this message because you are subscribed to the Google Groups 
>>>> "Puppet Users" group.
>>>> To post to this group, send email to puppet-us...@googlegroups.com.
>>>> To unsubscribe from this group, send email to 
>>>> puppet-users+unsubscr...@googlegroups.com.
>>>> For more options, visit this group at 
>>>> http://groups.google.com/group/puppet-users?hl=en.
>>>> 
>>>> 
>>> 
>>> -- 
>>> You received this message because you are subscribed to the Google Groups 
>>> "Puppet Users" group.
>>> To post to this group, send email to puppet-us...@googlegroups.com.
>>> To unsubscribe from this group, send email to 
>>> puppet-users+unsubscr...@googlegroups.com.
>>> For more options, visit this group at 
>>> http://groups.google.com/group/puppet-users?hl=en.
>>> 
>> 
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To post to this group, send email to puppet-us...@googlegroups.com.
>> To unsubscribe from this group, send email to 
>> puppet-users+unsubscr...@googlegroups.com.
>> For more options, visit this group at 
>> http://groups.google.com/group/puppet-users?hl=en.
>> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To post to this group, send email to puppet-us...@googlegroups.com.
> To unsubscribe from this group, send email to 
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/puppet-users?hl=en.
> 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Puppet 0.24.8 RPM (0.25.4 client not backwards compatible)

2010-03-04 Thread Patrick 

On Mar 4, 2010, at 2:16 PM, James Turnbull wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> On 4/03/10 1:35 PM, Patrick wrote:
>> You can find the SSL problem at
>> http://projects.reductivelabs.com/issues/3083.  I can't upgrade
>> until it's resolved.  The problem is that half of my computers
>> are over a VPN link with NAT so the client's can't be looked-up
>> using DNS.  Everything works find under 0.24.8 though.
>> 
> 
> Okay ... I'll take a look at that ticket.  Do you know, however, if
> this is the same issue Douglas is having?  His emails suggested that
> nothing worked for him.  You have a specific instance of network
> configuration that is tripped because of the reverse look-up rather
> than a side-wide SSL issue.
> 
> Regards
> 
> James Turnbull

Not really.  All he said was something like "the SSL problem that lots of 
people are having".  This does qualify, but it could be a different problem.  
This would cause what looks like a site-wide SSL issue if none of the clients 
had good DNS entries.  Because this stops the clients from registering with the 
server, it does make it look like the whole puppet package is broken if you 
don't have existing clients from before the upgrade.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Puppet 0.24.8 RPM (0.25.4 client not backwards compatible)

2010-03-04 Thread Patrick 

On Mar 4, 2010, at 12:11 PM, James Turnbull wrote:

> On 4/03/10 11:55 AM, Douglas Garstang wrote:
>> All I can is Ugh.
>> 
>> I'm avoiding 0.25 like the plague. The last time I tried to use it, I
>> simply couldn't the SSL keys to work, and from what I read, others did
>> too. Were those problems fixed?
> 
> There are a lot of people on 0.25.x without any SSL issues.
> 
> I'll make the same offer I did back then:
> 
> * Can you list out the issues you had?
> * Did you log tickets for them?
> * If not, could you please do so and adding platform and log/trace
> output to the tickets that'd also greatly help.
> 
> 

You can find the SSL problem at http://projects.reductivelabs.com/issues/3083.  
I can't upgrade until it's resolved.  The problem is that half of my computers 
are over a VPN link with NAT so the client's can't be looked-up using DNS.  
Everything works find under 0.24.8 though.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Puppet 0.24.8 RPM (0.25.4 client not backwards compatible)

2010-03-04 Thread Patrick 

On Mar 4, 2010, at 11:55 AM, Douglas Garstang wrote:

> All I can is Ugh.
> 
> I'm avoiding 0.25 like the plague. The last time I tried to use it, I
> simply couldn't the SSL keys to work, and from what I read, others did
> too. Were those problems fixed?
> 
> Doug.

The problem that most people were having is pretty simple.  The server must be 
able to find the client using DNS, or else the SSL certificate doesn't end up 
in puppetca.  I don't know exactly where it's failing, but as long as your 
server can do a forward and reverse lookup on your clients, you should be fine. 
 This is only an issue when a client that does not have a certificate connects 
to the server.  As long as the client has a certificate in puppetca, it should 
be fine.

Some people got around this problem by adding the client to the server's 
/etc/hosts until the client's first run was over.
More information at http://projects.reductivelabs.com/issues/3083

There was one other problem that I remember having to do with serial number 
having a value of zero in certificates.  I don't remember what that affected, 
or if it was fixed though.  It did only happen when using puppetmaster through 
a different server like Mongrel or Passenger.  I don't remember which one(s) it 
is though.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] exec -> creates question

2010-03-04 Thread Patrick 

On Mar 4, 2010, at 7:29 AM, Allan Marcus wrote:

> A file that this command creates.  If this
>parameter is provided, then the command will only be run
>if the specified file does not exist::
> 
>exec { \"tar xf /my/tar/file.tar\":
>cwd => \"/var/tmp\",
>creates => \"/var/tmp/myfile\",
>path => [\"/usr/bin\", \"/usr/sbin\"]
>}
> 
> 
> Is there a way to set the content of this file (/var/tmp/myfile) using some 
> additional parameter in the above syntax?

This isn't the "right" way to do it, and you may have performance issues 
depending on the size of the file, but you can always combine grep with unless.

If you want to re-extract the file if the file doesn't contain "testString" 
this should work.

exec { "tar xf /my/tar/file.tar":
cwd => "/var/tmp",
creates => "/var/tmp/myfile",
path => ["/usr/bin", "/usr/sbin"],
unless => "grep testString myfile",
}


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Explicitly set $servername?

2010-03-04 Thread Patrick 

On Mar 4, 2010, at 3:07 AM, Tim wrote:

> I'm an idiot..
> 
> I had actually hard coded $servername into the source statement
> 
> source  => "puppet://$servername/users/authkeys/$name".
> 
> Once I had swapped that out for the other interface name, everything
> else started to work fine!
> 

Why not just use puppet:/// ?  (three slashes)  Won't that give you what you 
want?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: puppet on os x: definitive setup notes?

2010-03-01 Thread Patrick 

On Mar 1, 2010, at 6:02 PM, foilpan wrote:

> thanks nigel and james. i'm actually reading notes passed along by
> another list member, watching the macworld 2008 presentation from
> nigel and jeff, and have the "pulling strings" book here for
> reference.
> 
> i needed ruby 1.9.1 for a class i took but installed from source
> under /usr/local, so all the default ruby 1.8 stuff is completely
> separate. macports doesn't really appeal to me; i'd rather have source
> or pkg installs to deal with.

Actually, Ports is almost the same as using a package install where the 
packages take much longer to install.  (If you have a compiler installed)

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] ssh::auth server dependency on ~/.ssh and a scoping question

2010-02-25 Thread Patrick 

On Feb 25, 2010, at 11:23 AM, Marcello de Sousa wrote:

> Patrick,
> 
> If you do that you would put all the public keys together, wouldn't you ?
> That means users would be able to login as any other user. That is of course
> not what you want.
> 
> We need to deploy a single specific public key per user.
> 
> Gr,
> Marcello

I guess I misunderstood your question.  I thought you had a really strange 
setup where you were doing just that.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] ssh::auth server dependency on ~/.ssh and a scoping question

2010-02-25 Thread Patrick 
What about deploying the keys to /etc/skel?  Would that be enough for what you 
want?


On Feb 25, 2010, at 8:47 AM, Marcello de Sousa wrote:

> Hi Andrew,
> 
>>> "IF homedir exists => deploy .ssh/authorized_keys , else do nothing"
>>> As far as I know this is not possible with puppet.
>> 
>> Marcello, I want to understand your use case.  AD and LDAP seem to be
>> fairly common in Puppet installations, and I'd like for ssh::auth to
>> work well with them.  But I'm not that familiar with them.
>> 
>> Are you saying that once a user is authorized for a host (or the whole
>> domain), the user exists on that host, but his/her home directory
>> doesn't, until they first log in?
> 
> The user doesn't exactly "exist" on that host. The user and his group
> membership are 'visible' (via AD/ldap) and he might be authorized to login
> to that host. His homedir doesn't exist initially indeed.
> 
>> When the user logs in, is his/her home directory automounted from a
> network share? 
> 
> No, although this might be possible.
> But this is not default and is not what I want now.
> 
>> In that case, the place to deploy the ssh keys would be in the
>> user's home directory on the file server.  Or, is the home directory
>> created locally on the host the first time the user logs in?
> 
> Exactly.
> 
>> It would seem to me that once a user is authorized for a host, you'd
>> want to create his/her ~/.ssh/authorized_keys right away, so they can log
> in
>> by ssh.  
>> If you can explain the sequence of how users get created and
>> authorized and when their home directories get created, it would help
>> me to address the need.
>> 
>> Andrew.
> 
> Let me try to explain that:
> Based on a AD group membership I allow the users to login or not. If you
> don't configure that parameter on lwopen(Likewise-open) client ("require
> membership of") all domain users are allowed to login. 
> 
> Next to that Likewise-open uses a hash of your ActiveDirectory-UID/GID to
> generate your unix UID/GID.
> Once you login to the machine for the first time lwopen will create your
> homedir with the proper rights (proper hashed UID/GID and optionally
> domainname). For example and "ls -ln" would show some info like:
> 
> drwxr-xr-x  953680985 953680385 /home/mydomain/myusername
> 
> Next to that lwopen would create a .k5login on that directory to allow
> single sign on via Kerberos. That's one more reason I need lwopen doing that
> and not puppet.
> 
> My whole lwopen configuration is deployed via puppet. On the machines that I
> login, after my homedir is properly created, I would like to be able to
> deploy my .ssh/authorized_keys as an alternative to Kerberos SSO. Btw,
> that's because Kerberos SSO has some issues, but that's off-topic. :)
> 
> So what I need looks simple but surprisingly difficult to achieve:
>>> "IF homedir exists => deploy .ssh/authorized_keys , else do nothing"
> 
> Is this enough info about the use case ? Ideas anyone ?
> 
> Gr,
> Marcello
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To post to this group, send email to puppet-us...@googlegroups.com.
> To unsubscribe from this group, send email to 
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/puppet-users?hl=en.
> 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Strange messages on 0.25.4.

2010-02-23 Thread Patrick 
The only explanation that I can find that explains the problems that I and a 
few other user have been having is that 0.25.x adds a security feature that 
makes it needed during the creation of client certificates.  (Either that or 
during the signing or retrieval of the certificates.)  It could be a bug, but I 
think it's more likely a feature. 

As a workaround you could try adding the client to the server's /etc/hosts file.

On Feb 23, 2010, at 1:22 AM, Nobuchika Tanaka wrote:
> 
> Does Puppet need DNS internally?
> 
> Nobuchika Tanaka.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Strange messages on 0.25.4.

2010-02-23 Thread Patrick 

On Feb 22, 2010, at 9:34 PM, Nobuchika Tanaka wrote:
> 
> err: Could not resolve 10.72.150.56: undefined method `include?' for
> nil:NilClass
> err: Could not resolve 10.72.150.56: undefined method `include?' for
> nil:NilClass
> info: Could not find certificate for 'sol10tst1'
> err: Could not resolve 10.72.150.56: undefined method `include?' for
> nil:NilClass
> info: Could not find certificate_request for 'sol10tst1'
> err: Could not resolve 10.72.150.56: undefined method `include?' for
> nil:NilClass
> notice: sol10tst1 has a waiting certificate request
> notice: Signed certificate request for sol10tst1
> notice: Removing file Puppet::SSL::CertificateRequest sol10tst1 at '/
> etc/puppet/ssl/ca/requests/sol10tst1.pem'
> err: Could not resolve 10.72.150.56: undefined method `include?' for
> nil:NilClass
> #

This might be a failed reverse lookup to me.  I don't know enough to help you, 
but giving this information might help the devs.

Is 10.72.150.56 the client or the server?
Also, what happens on each of them if you do an nslookup for 10.72.150.56?  

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: Magazine article comparing CPU usage of Puppet vs. Cfengine

2010-02-22 Thread Patrick (kc7zzv) 
On Feb 22, 1:17 pm, Toby Riddell  wrote:
> I received my copy of ;login (the Usenix magazine) today. There's an
> article* comparing CPU utilisation of Puppet and Cfengine. To
> abbreviate massively: Puppet requires much more CPU than Cfengine when
> both verifying and fixing configuration.

I had major CPU and RAM trouble back when I was using puppet to copy
big binary files.  I switched to deploying them using a custom apt
server, and most of my problems went away.  I've also had trouble with
clients that have a high latency to the server in 0.24.x, but I've
heard that's fixed in 0.25.x.
-Patrick Mohr

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: Strange messages on 0.25.4.

2010-02-22 Thread Patrick (kc7zzv) 
On Feb 22, 12:37 pm, deet  wrote:
> > Did you add the FQDN of the server, the server's name, or both to the
> > hosts file on the client?
>
>   Our hosts only have a "node" name as we don't have nis/ldap/dns for
> network name resolution.
>
>   In this case the puppet master's hostname is "dev-puppet" and I did
> not include that in the clients hostfile.  The entry I used is like
> this
>
> (clients hosts file)
> X.X.X.X     puppet
>
>   And on the puppetmaster server I used the following notation for the
> client's hosts entry.  The real name of the client in this example is
> "dev-sandbox" which is what I put in the puppetmasters hosts file.
>
> (puppetmaster hosts file)
> X.X.X.X     dev-sandbox
>
>   Once the cert exchange is complete I can remove that hosts entry for
> the client.
>
>   Does that help?
>

That's very helpful.  I've been pulling my hair out trying to figure
out what's wrong.  Our clients are behind a NATed VPN that the server
can't see through.  (Long story.  Don't ask.)  This should be enough
information to get a good bug report, and set up a temporary fix.
-Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: Strange messages on 0.25.4.

2010-02-22 Thread Patrick (kc7zzv) 
On Feb 22, 9:08 am, deet  wrote:
>  My work around was to populate the hosts file with a puppet entry and
> remove the "--server X.X.X.X" flags from my boot strap script.
> Additionally I had to ensure the client node has an entry in the
> masters hosts file.
>
>  I still assume this is something I've brought on myself with my lack
> of network name resolution.  I'm just hoping the info helps the OP.
>
>   Derek.


Other people are having this trouble too including me.  I just figured
that 0.25 was broken in ubuntu.  More information at
http://projects.reductivelabs.com/issues/3083.  I'm trying to figure
out the minimum DNS needed.

Did you add the FQDN of the server, the server's name, or both to the
hosts file on the client?

Did you add puppet, puppet.domain, or both to the client's hosts file?

Is the server's FQDN puppet or something else?

I'm hoping that if I can figure out what works for you, I'll have a
place to start.
-Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Certificate BitRate

2010-02-07 Thread Patrick 
This probably isn't exactly what you're looking for, but that's covered at 
http://reductivelabs.com/trac/puppet/wiki/MultipleCertificateAuthorities along 
with other stuff to increase security.  I haven't done it myself, but it would 
be a bit of work.
-Patrick

On Feb 7, 2010, at 10:27 AM, Joe McDonagh wrote:

> Hey Guys, I looked at one of my puppet certs while troubleshooting a
> problem getting Splunk to use them, and I discovered they look to be
> 1024 bits. Is there a way to change this to at the very least 2048 bits?
> I prefer 3072 or 4096, but if it's not an option maybe I should file a
> feature request.


-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Making the new users experience easier

2010-02-06 Thread Patrick 

On Feb 5, 2010, at 11:38 AM, Patrick wrote:
> 
> 2) DNS: My setup was small and simple, so I've been using dnsmasq for DNS and 
> DHCP.  Dnsmasq doesn't support cnames so the auto-generated cert name on the 
> puppetmaster doesn't work.  I suggest that all autogenerated certificates 
> have an alias of "puppet" to make setup easier.
> 

It looks like I was wrong on this point, and that puppet already does this.  
Thanks for fixing this.

-Patrick Mohr

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Making the new users experience easier

2010-02-05 Thread Patrick 

On Feb 5, 2010, at 4:06 AM, Nicolas Szalay wrote:

> Le mardi 02 février 2010 à 12:08 -0500, Michael DeHaan a écrit :
>> Just one more email and I'll let you go for a few hours :)
> 
> Hello puppeters
> 
> 
>> One of the things I like to see in apps is that they are immediately 
>> intuitive and easy to use for new users.  I think Puppet is really good 
>> here, but there's opportunity to make everything better.   We want 
>> everyone to love Puppet from their first few minutes using it, all the 
>> way through to datacenter nirvana.
>> 
>> With Puppet, if you're just learning it, what were some of your 
>> stumbling blocks?   If you are an existing user, think back to that 
>> time, or times when you were talking with new users?
> 
> To join Peter : SSL. SSL is just a pain in the a**. As you said, some
> don't want to know about ruby webservers in detail, some don't want to
> know about SSL.
> 
> Tell more in the beginner's guide about DNS, and the need to have a
> clean DNS for puppet to work fine.

While getting started I had some problems.

1) I couldn't find a simple skeleton puppet configuration.  I tried the 
tutorial, but there's lots of things that can go wrong, and figuring out what's 
wrong can be be a pain if you don't know what you're doing.  A sample.tar.gz 
that has a module that does nothing but create a file in /tmp would be really 
helpful.  Just getting a configuration that works and does something can be 
rather hard.


2) DNS: My setup was small and simple, so I've been using dnsmasq for DNS and 
DHCP.  Dnsmasq doesn't support cnames so the auto-generated cert name on the 
puppetmaster doesn't work.  I suggest that all autogenerated certificates have 
an alias of "puppet" to make setup easier.


3.1) SSL: Adding another server to an existing puppet setup is rather difficult 
if you don't know much about SSL.  Here's something that would be helpful 
although it might be too hard to be feasible:
Make it possible to have a new puppetmaster get a signing certificate from an 
existing puppetmaster.  Then you'd use a command on the master server that's 
something like this "puppetca --sign --puppet-server newservername.localhost".

and/or

3.2) Allow the generation of server certificates on the server like this 
"puppetca --generate --puppet-server newserver.localhost" 

In either of these cases I'd ask that the default is to give the certificate an 
alias of "puppet".


4) Something nearly as good as 3 would be a shell script that uses ssh to login 
to the server as root and does the same thing using the openssl command.


5) Error ambiguity: sometimes it's hard to tell if an error is happening on the 
client-side or server-side.
-Patrick

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Video of Building Agile Infrastructures with Puppet - Teyo Tyree - Devopsdays 09

2010-01-23 Thread Patrick Debois 

Thought this might interest the list:

the video of the excellent talk by Teyo Tyree at www.devopsdays.org is 
now available:


video - http://blip.tv/file/3023407
slides - http://www.devopsdays.org/ghent09/programme

Enjoy!


--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: Behavior Driven Infrastructure

2009-11-12 Thread Patrick Debois 

FYI: for those looking for examples and more discussions.

I've put my collection of infrastructure testing links online:
http://www.jedi.be/blog/2009/11/12/collection-of-test-driven-infrastructure-links/



--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en
-~--~~~~--~~--~--~---

[Puppet Users] Re: Behavior Driven Infrastructure

2009-11-07 Thread Patrick Debois 

for what it's worth:

for a while I was experimenting with cucumber to test scripts running
on linux machines. And yes , IMHO it is the way to go .

It worked well with the behavior testing just a you guys described.
still just as in regular development, bdd can be complemented with
tdd.
The way i did the tdd, was by using the exit codes of the shell
commands. I created an abstraction in ruby for execute (local, remote)
and  upload, download of files.

If the command did not have exit 0 (the default) then i imagined the
test being failed.
Using snapshots of the virtual machines, I ran the scripts against a
virtual machine  (used virtualbox), with the ability to do a rollback.
I know this is not the way puppet normally operates, but I used the
(if i recall correctly) the puppetrun command to execute it and see
what happened
If all of these exit codes where ok (similar to unit tests), i ran the
bdd tests to see if everything was correct.

By integrating the tdd, and the bdd within a CI-system, I was able to
have it run continuously and rebuild the system over and over again.

Another thing I want to mention is that you can easily abstract
commands in a custom dsl, but I really like to see what actual
commands got executed.
This is slightly off topic maybe, but by logging/running the actual
commands and have the whole environment build like that (including
making a floppy, booting the vms)
it allowed me to create a kind of install document with the actual
commands instead of pointing to a newly invented DSL.
So I say yes to an abstraction layer, but no to hiding the actual
commands.

just my 2 c

On Nov 6, 3:56 pm, Lindsay Holmwood  wrote:
> 2009/11/6 Martin Englund :
>
>
>
>
>
> > Folks,
>
> > I've been struggling a bit with how we're using puppet (at my job):
> > how do you validate that puppet has done what it is supposed to, and
> > even troublesome, how you validate that it has done what you intended
> > it to do?
>
> > Since I'm the only one who is writing the puppet profiles and working
> > with it on a daily basis, I'm the only one who can decipher the puppet
> > logs. I often get the question: how do we know when the system is
> > ready for production?
>
> > I've been playing around[1] with cucumber & webrat, and have pieced
> > together a way to do behavior driven infrastructure testing. Puppet
> > takes care of getting the system configured correctly, but there are
> > often other pieces involved, like opening firewall ports, adding DNS
> > entries, sendmail routing, etc. Which must be done outside of puppet
> > to get the system ready for release.
>
> > When you write code, you always use unit testing & integration testing
> > to verify that the application is working as expected, but why don't
> > we use that when we install a system?
>
> > What are you using to verify that your system is correctly configured
> > and behaves the way you want?
>
> > [1] 
>
> [although i've commented on the excellent blog entry, i'm posting here]
>
> Hi Martin,
> It looks like there's a bit of crossover here with a project i've been
> working on the last few months called cucumber-nagios[0]. It takes the
> result of a Cucumber run and outputs it in the Nagios plugin format.
> Essentially you use it to express your intentions in plain language,
> and verify your intentions periodically through your monitoring
> system. Just like what you've posted about. :-)
>
> Anyhow, I spoke about cucumber-nagios at the excellent Devopsdays in
> Belgium last weekend, and I got talking with people about expanding
> the library of steps to cover things like logins over SSH, file
> manipulation, and mail delivery. It would be cool if we could
> centralise our efforts and focus on building an awesome library of
> reusable steps to test our infrastructure.
>
> Your point about doing behaviour driven development when writing
> software is right on the mark. From an infrastructure perspective, I
> like to think of Cucumber as the testing tool, and Puppet as the
> programming language.
>
> Anyhow, i'd be interested to hear what other people think about this idea!
>
> Cheers,
> Lindsay
>
> [0]http://auxesis.github.com/cucumber-nagios
>
> --http://holmwood.id.au/~lindsay/(me)
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en
-~--~~~~--~~--~--~---

[Puppet Users] softwareinventory with different preinstalled Linuxmachines / patch management

2009-04-05 Thread Patrick 

We have a grown linux environment, which are different in
hardware/distribution/installed software.
The clients are mainly maintained by our users, but sometimes we need
to ensure that certain updates are installed.

1)
We would like to gather the information about the softwarereleases
installed on our clients. This could be done with
   aptitude search -F '%p%v' ~i
or
   rpm -qa --qf "%{NAME},%{VERSION}\n"

Can puppet gather information about installed software/versions and
send it to a central server? Does somebody have a recipe to accomplish
that?

2) Updates / Patch management
Are there any best-practices about "Patch management with puppet"?
For example, we want to upgrade a package only if an earlier version
currently exist on the client.
When I use "ensure => latest", a package would be updated to the
latest package. It would also be installed even a earlier version was
not installed before.

Are there maybe better tools for our case?

Patrick

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en
-~--~~~~--~~--~--~---

[Puppet Users] Re: Installing latest updates until a certain date

2009-03-17 Thread Patrick Debois 
Bruce Richardson wrote:
> On Tue, Mar 17, 2009 at 10:48:23AM +0100, Patrick Debois wrote:
>   
>>> The only sure way to control what is pushed/pulled to your systems is to
>>> maintain a local package mirror.  Then you can make sure that only
>>> the packages you want are visible to your hosts.
>>>
>>>   
>>>   
>> So that means, you would need to setup a repository per patch 
>> combination you want to test?
>> 
>
> You didn't way you wanted arbitrary combinations, just combinations up
> to an arbitrary date, which is simpler to manage.  You don't even need
> genuine multiple mirrors; you could use dirvish or rdiff-backup to
> create a series of apparent snapshots.
>
>   
Nice idea to use dirvish: that would indeed allow me to avoid 
duplication of the repository and if i understand it right,
i can have different enviroments use different snapshots at the same 
time. f.i. dev and test on repository X and pre-prod on version Y

>> Even when you sync a repository, you always get the latest version 
>> mirrored. That means if I need to re-install a machine and rebuild the 
>> repository, I can't get it in the same state I want.
>> 
>
> Debian manages that problem with it's release structure, but you
> probably don't want to hear that.
>
>   
Would it make sense to use the Build Date or the Signature date for this?

# rpm -qi httpd

Name: httpdRelocations: (not relocatable)

Version : 2.2.3 Vendor: CentOS

Release : 11.el5_2.centos.4 Build Date:* Wed 12 Nov 2008 
04:43:28 PM CET*

Install Date: Wed 04 Mar 2009 04:33:54 PM CET  Build Host: 
builder10.centos.org

Group   : System Environment/DaemonsSource RPM: 
httpd-2.2.3-11.el5_2.centos.4.src.rpm

Size: 3054248  License: Apache Software License

Signature   : *DSA/SHA1, Wed 12 Nov 2008 11:54:27 PM CET, Key ID 
a8a447dce8562897*

URL : http://httpd.apache.org/

Summary : Apache HTTP Server

Description :

The Apache HTTP Server is a powerful, efficient, and extensible web server.


>> Is there any way to retrieve the date a package was released? I've been 
>> thinking of writing a yum-filter but don't find the exact release-date info.
>> 
>
> If you used dirvish to make a snapshot of your yum repo every time you
> update it, you can always go back to a particular state of the repo.
> It's a lightweight solution.
>
>   


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en
-~--~~~~--~~--~--~---

[Puppet Users] Re: Installing latest updates until a certain date

2009-03-17 Thread Patrick Debois 
Bruce Richardson wrote:
> On Tue, Mar 17, 2009 at 09:15:59AM +0100, Patrick Debois wrote:
>   
>> Sorry if this might be slightly off topic here. But it might be you have 
>> encountered a similar problem.
>> 
>
> The only sure way to control what is pushed/pulled to your systems is to
> maintain a local package mirror.  Then you can make sure that only
> the packages you want are visible to your hosts.
>
>   
So that means, you would need to setup a repository per patch 
combination you want to test?
Even when you sync a repository, you always get the latest version 
mirrored. That means if I need to re-install a machine and rebuild the 
repository, I can't get it in the same state I want.

Is there any way to retrieve the date a package was released? I've been 
thinking of writing a yum-filter but don't find the exact release-date info.

Patrick

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en
-~--~~~~--~~--~--~---

[Puppet Users] Installing latest updates until a certain date

2009-03-17 Thread Patrick Debois 

Hi folks,

I'm looking for a way to install a system with all packages/patches 
until a certain date. This might not be up to puppet to solve this , if 
underlying yum/package-systems don't have this facility.
The reason is that when reinstalling a system, i want to control what it 
means update until the latest version, and i find it a hassle to specify 
each version of the package everytime it changes.

Sorry if this might be slightly off topic here. But it might be you have 
encountered a similar problem.

Thanks
Patrick




--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en
-~--~~~~--~~--~--~---

[Puppet Users] Does it do anything?

2008-09-17 Thread Patrick Rutkowski 

Lets say that one defines a group resource sans the ensure=>"present"
statement, and also neglects to put any require=>Group["foo"] statements
into any other resources. Will this resource have any effect?

-Patrick

P.S.
I realize now after typing up the question that the issue probably  
applies
to other non-group resources in the same fashion; but please correct
me if I'm wrong on that point.


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en
-~--~~~~--~~--~--~---

<    2   3   4   5   6   7