Re: [Puppet Users] Re: Security of facts (aka: who can see my facts?)
puppetdb also expose facts etc. details via api calls too, you might want to check that out. take a look at hiera-gpg puppet module to store hiera variables in encrypted form, it will provide enough security on hiera/git side. On Mon, Nov 4, 2013 at 7:49 PM, Arnaud Gomes-do-Vale wrote: > Chuck writes: > > > I wouldn't put any sensitive information in a fact, unless the only > people > > with access to PuppetDB and your Servers are admins who already have > access > > to this information. But even then I still wouldn't do it. > > That's more or less the conclusion I arrived at, except I can't find any > real reason not to trust the Puppet ecosystem with my facts. I mean, my > servers and PuppetDB are secure (well, they should be, unless I screwed > things up), inventory service is turned off on my dashboard, so I should > be safe, shouldn't I? > > > At this time I would say the best route would be something like hiera. > > Except AFAIU Hiera doesn't allow me to generate values on the client > node. The whole point of my fact-base approach is that I don't want to > manage database passwords, they just have to be long-enough random > strings. > > -- > A > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/y9hzjpkfdw2.fsf%40licencieux.ircam.fr > . > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAH3EniGR%3DaqDNT-jke8aP7AtpvPEtuHcgxGtbrEg1tOuWwpAKw%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Puppet agent and puppet master
You can use splay to schedule agent run and yes, you can view agent run / changes status in /var/log/messages. http://docs.puppetlabs.com/references/latest/configuration.html#splay -V On Mon, Sep 16, 2013 at 4:27 PM, Adeel Bhatti wrote: > Hi, > Is it nesseccary to access the client machine and execute the agent > command manually to take in configuration ? or if the agent can know > itsself that the server has some changes for it !! > > secondly, can't we have agent's logs/status of taking in > changes/configurations ? > I am using open source puppet master ! > > Adeel > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users. > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Add a public ssh key form node A to authorized keys on node B
Well, actually it is straight forward. Just create a ssh_authorized_keys resource for an user for both nodes and store the private key in .ssh/id_rsa or define Identity key file in .ssh/config. On Sat, Aug 3, 2013 at 7:12 AM, Mark Ruys wrote: > With the risc I ask a queston answered a hunderd times before (which I > couldn't find)... > > On node A I want to create a ssh key. For this I exec a ssh-keygen. Now I > want the generated public key added to the authorized key file of node B. > Probably I need the ssh_authorized_key resource for this. But then I need > the public key of node A as a string in node B. I can't see how to achieve > this with exported resources. So my guess is that I need to write a custom > fact to read ~/.ssh/id_rsa.pub on node A in order to collect it on node B. > > Is this the way I should go? Or is there a better approach? > > Thanks, Mark > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Re: ERB Template Newb Question
If you are using hiera, you can set the default value to UNSET for those
variables, it should do it.
*rabbitmq_port = hiera('**rabbitmq_port','UNSET')*
*
*
If you are using host facts, you can modify if condition like this:
*<% if **@rabbitmq_port != '' and **@rabbitmq_port != 'UNSET' -%>*
*
*
-Virender
On Sat, Jul 13, 2013 at 8:01 AM, wrote:
> Could you show the puppet code that sets '$rabbitmq_port' and
> '$rabbitmq_address' ?
>
> I'd recommend dropping a line like this in your template:
>
> *NODE_PORT=<%= @rabbitmq_port.inspect %>*
>
> (If you see 'nil', the variable either hasn't been set or has been set to
> 'undef').
>
> Eric
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To post to this group, send email to puppet-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/puppet-users.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] how to run backtick in erb file
If you are managing sssd* package(s) via puppet, you can try this:
module.pp -
if defined(Package['sssd']) and defined(Package['sssdxx'])
{
$session_variable = "sss.so"
}
else
{
$session_variable = "pam_ldap.so"
}
template.erb -
session optional <%= session_variable -%>
-
On Tue, Jun 25, 2013 at 6:19 PM, Ken Barber wrote:
> > I am very new to puppet and wants to implement something like this in my
> > puppet template (erb file)
> >
> > the logic i am trying to do is :
> >
> > sssd_count=`rpm -qa | grep 'sssd' | wc -l`
> >
> > <% if sssd_count =2 -%>
> > session optional sss.so
> > <% else %>
> > session optional pam_ldap.so
> > <% end -%>
> >
> > but the backtick does not work.. or i am unable to store the expected
> value
> > in to sssd_count
> > is there any other way to perform this task ??
>
> You probably want the syntax to look something like:
>
> <% sssd_count=`rpm -qa | grep 'sssd' | wc -l` -%>
>
> <% if sssd_count =2 -%>
> session optional sss.so
> <% else %>
> session optional pam_ldap.so
> <% end -%>
>
> Notice how I've wrapped the variable declaration in <% -%>. However, I
> imagine the real problem here is that templates do not run on the
> destination agent, they run on the puppet master - which is probably
> why it hasn't been working out for you. So unless you're running in
> masterless mode, forget this methodology.
>
> > I will be really grateful if i can get some help ..
>
> A far more efficient way of doing this, is to make your module install
> the 'sssd' package for you (could be conditional also). That way
> you're not having to detect the state of the package, instead you are
> enforcing the state you want.
>
> If you really can't do this, then what you want is to write a fact
> that tells you weither the package is installed or not or just a fact
> that grabs all packages perhaps, and you later pick the package from a
> list. Facts run on the agent very early in the cycle, and their
> content is submitted to the master - so can be used in templates like
> the one you have created.
>
> ken.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To post to this group, send email to puppet-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/puppet-users.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.
