[Puppet Users] Re: puppetdb ssldir chown is breaking PuppetDB

[comport3]

The files '/etc/puppetlabs/puppet/ssl/private_keys/hostname.pem' and 
'/etc/puppetlabs/puppetdb/ssl/private.pem' seem to be linked to each other 
somehow.
Not symlinked or hardlinked (which can have different owner/permission) but 
something else I can't figure out.
Changing the ownership or mode on one file consistently impacts the other 
one.

Help ?!

On Tuesday, February 2, 2021 at 3:18:17 PM UTC+11 comport3 wrote:

> EDIT: Do NOT use the previously provided workaround. For reasons I DO NOT 
> currently understand, it's also changing the ownership of the private key 
> located in ''/etc/puppetlabs/puppet/ssl/private_keys/*pem"
>
> Not sure what to do next - downgrade? File a bug report?
>
> On Tuesday, February 2, 2021 at 11:12:04 AM UTC+11 comport3 wrote:
>
>> Here is a workaround for anyone else affected by the same issue, noting 
>> the caveat is it will apply on every run -
>>
>> class profile::puppetdb inherits puppetdb {
>>   contain puppetdb
>>   contain puppetdb::master::config
>>   file {
>> $ssl_dir:
>>   ensure => directory,
>>   owner  => $puppetdb_user,
>>   group  => $puppetdb_group,
>>   mode   => '0700';
>> $ssl_key_path:
>>   ensure  => file,
>>   owner   => $puppetdb_user,
>>   group   => $puppetdb_group,
>>   mode=> '0640';
>> $ssl_cert_path:
>>   ensure  => file,
>>   owner   => $puppetdb_user,
>>   group   => $puppetdb_group,
>>   mode=> '0644';
>> $ssl_ca_cert_path:
>>   ensure  => file,
>>   owner   => $puppetdb_user,
>>   group   => $puppetdb_group,
>>   mode=> '0644';
>>   }
>> }
>>
>>
>> On Tuesday, February 2, 2021 at 10:00:43 AM UTC+11 comport3 wrote:
>>
>>> Trying to fix the problem with "chattr +i *pem" results in Puppet 
>>> breaking fairly spectacularly, output:
>>> ```
>>> Error: Failed to set owner to '998': Operation not permitted @ 
>>> apply2files - 
>>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
>>> Error: 
>>> /File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]/owner:
>>>  
>>> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998': 
>>> Operation not permitted @ apply2files - 
>>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
>>> Error: Failed to set group to '998': Operation not permitted @ 
>>> apply2files - 
>>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
>>> Error: 
>>> /File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]/group:
>>>  
>>> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998': 
>>> Operation not permitted @ apply2files - 
>>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
>>> Error: Failed to set owner to '998': Operation not permitted @ 
>>> apply2files - 
>>> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
>>> Error: 
>>> /File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]/owner:
>>>  
>>> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998': 
>>> Operation not permitted @ apply2files - 
>>> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
>>> Error: Failed to set group to '998': Operation not permitted @ 
>>> apply2files - 
>>> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
>>> Error: 
>>> /File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]/group:
>>>  
>>> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998': 
>>> Operation not permitted @ apply2files - 
>>> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
>>> Error: Failed to set owner to '998': Operation not permitted @ 
>>> apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
>>> Error: /File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]/owner: change from 
>>> 'puppetdb' to 'puppet' failed: Failed to set owner to '998': Operation not 
>>> permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
>>> Error: Failed to set group to '998': Operation not permitted @ 
>>> apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
>>> Error: /File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]/group: change from 
>>> 'puppetdb' to 'puppet' failed: Failed to

[Puppet Users] Re: puppetdb ssldir chown is breaking PuppetDB

[comport3]

EDIT: Do NOT use the previously provided workaround. For reasons I DO NOT 
currently understand, it's also changing the ownership of the private key 
located in ''/etc/puppetlabs/puppet/ssl/private_keys/*pem"

Not sure what to do next - downgrade? File a bug report?

On Tuesday, February 2, 2021 at 11:12:04 AM UTC+11 comport3 wrote:

> Here is a workaround for anyone else affected by the same issue, noting 
> the caveat is it will apply on every run -
>
> class profile::puppetdb inherits puppetdb {
>   contain puppetdb
>   contain puppetdb::master::config
>   file {
> $ssl_dir:
>   ensure => directory,
>   owner  => $puppetdb_user,
>   group  => $puppetdb_group,
>   mode   => '0700';
> $ssl_key_path:
>   ensure  => file,
>   owner   => $puppetdb_user,
>   group   => $puppetdb_group,
>   mode=> '0640';
> $ssl_cert_path:
>   ensure  => file,
>   owner   => $puppetdb_user,
>   group   => $puppetdb_group,
>   mode=> '0644';
> $ssl_ca_cert_path:
>   ensure  => file,
>   owner   => $puppetdb_user,
>   group   => $puppetdb_group,
>   mode=> '0644';
>   }
> }
>
>
> On Tuesday, February 2, 2021 at 10:00:43 AM UTC+11 comport3 wrote:
>
>> Trying to fix the problem with "chattr +i *pem" results in Puppet 
>> breaking fairly spectacularly, output:
>> ```
>> Error: Failed to set owner to '998': Operation not permitted @ 
>> apply2files - 
>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
>> Error: 
>> /File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]/owner:
>>  
>> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998': 
>> Operation not permitted @ apply2files - 
>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
>> Error: Failed to set group to '998': Operation not permitted @ 
>> apply2files - 
>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
>> Error: 
>> /File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]/group:
>>  
>> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998': 
>> Operation not permitted @ apply2files - 
>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
>> Error: Failed to set owner to '998': Operation not permitted @ 
>> apply2files - 
>> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
>> Error: 
>> /File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]/owner:
>>  
>> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998': 
>> Operation not permitted @ apply2files - 
>> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
>> Error: Failed to set group to '998': Operation not permitted @ 
>> apply2files - 
>> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
>> Error: 
>> /File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]/group:
>>  
>> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998': 
>> Operation not permitted @ apply2files - 
>> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
>> Error: Failed to set owner to '998': Operation not permitted @ 
>> apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
>> Error: /File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]/owner: change from 
>> 'puppetdb' to 'puppet' failed: Failed to set owner to '998': Operation not 
>> permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
>> Error: Failed to set group to '998': Operation not permitted @ 
>> apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
>> Error: /File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]/group: change from 
>> 'puppetdb' to 'puppet' failed: Failed to set group to '998': Operation not 
>> permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
>> Error: Could not prepare for execution: Got 3 failure(s) while 
>> initializing: 
>> File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]: 
>> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998': 
>> Operation not permitted @ apply2files - 
>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem; 
>> File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]: 
>> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998': 
>> Operation not permitted @ apply2files - 
>> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.e

[Puppet Users] Re: puppetdb ssldir chown is breaking PuppetDB

[comport3]

Here is a workaround for anyone else affected by the same issue, noting the 
caveat is it will apply on every run -

class profile::puppetdb inherits puppetdb {
  contain puppetdb
  contain puppetdb::master::config
  file {
$ssl_dir:
  ensure => directory,
  owner  => $puppetdb_user,
  group  => $puppetdb_group,
  mode   => '0700';
$ssl_key_path:
  ensure  => file,
  owner   => $puppetdb_user,
  group   => $puppetdb_group,
  mode=> '0640';
$ssl_cert_path:
  ensure  => file,
  owner   => $puppetdb_user,
  group   => $puppetdb_group,
  mode=> '0644';
$ssl_ca_cert_path:
  ensure  => file,
  owner   => $puppetdb_user,
  group   => $puppetdb_group,
  mode=> '0644';
  }
}


On Tuesday, February 2, 2021 at 10:00:43 AM UTC+11 comport3 wrote:

> Trying to fix the problem with "chattr +i *pem" results in Puppet breaking 
> fairly spectacularly, output:
> ```
> Error: Failed to set owner to '998': Operation not permitted @ apply2files 
> - /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
> Error: 
> /File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]/owner:
>  
> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998': 
> Operation not permitted @ apply2files - 
> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
> Error: Failed to set group to '998': Operation not permitted @ apply2files 
> - /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
> Error: 
> /File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]/group:
>  
> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998': 
> Operation not permitted @ apply2files - 
> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
> Error: Failed to set owner to '998': Operation not permitted @ apply2files 
> - /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
> Error: 
> /File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]/owner:
>  
> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998': 
> Operation not permitted @ apply2files - 
> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
> Error: Failed to set group to '998': Operation not permitted @ apply2files 
> - /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
> Error: 
> /File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]/group:
>  
> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998': 
> Operation not permitted @ apply2files - 
> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
> Error: Failed to set owner to '998': Operation not permitted @ apply2files 
> - /etc/puppetlabs/puppet/ssl/certs/ca.pem
> Error: /File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]/owner: change from 
> 'puppetdb' to 'puppet' failed: Failed to set owner to '998': Operation not 
> permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
> Error: Failed to set group to '998': Operation not permitted @ apply2files 
> - /etc/puppetlabs/puppet/ssl/certs/ca.pem
> Error: /File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]/group: change from 
> 'puppetdb' to 'puppet' failed: Failed to set group to '998': Operation not 
> permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
> Error: Could not prepare for execution: Got 3 failure(s) while 
> initializing: 
> File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]: 
> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998': 
> Operation not permitted @ apply2files - 
> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem; 
> File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]: 
> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998': 
> Operation not permitted @ apply2files - 
> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem; 
> File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]:
>  
> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998': 
> Operation not permitted @ apply2files - 
> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem; 
> File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]:
>  
> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998': 
> Operation not permitted @ apply2files - 
> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem; 
> File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]: change from 'puppetdb' to 
> 'puppet' failed: Failed to set owner to '998': Operation not permitted @ 

[Puppet Users] Re: puppetdb ssldir chown is breaking PuppetDB

[comport3]

Trying to fix the problem with "chattr +i *pem" results in Puppet breaking 
fairly spectacularly, output:
```
Error: Failed to set owner to '998': Operation not permitted @ apply2files 
- /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
Error: 
/File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]/owner: 
change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998': 
Operation not permitted @ apply2files - 
/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
Error: Failed to set group to '998': Operation not permitted @ apply2files 
- /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
Error: 
/File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]/group: 
change from 'puppetdb' to 'puppet' failed: Failed to set group to '998': 
Operation not permitted @ apply2files - 
/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
Error: Failed to set owner to '998': Operation not permitted @ apply2files 
- /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
Error: 
/File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]/owner:
 
change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998': 
Operation not permitted @ apply2files - 
/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
Error: Failed to set group to '998': Operation not permitted @ apply2files 
- /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
Error: 
/File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]/group:
 
change from 'puppetdb' to 'puppet' failed: Failed to set group to '998': 
Operation not permitted @ apply2files - 
/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
Error: Failed to set owner to '998': Operation not permitted @ apply2files 
- /etc/puppetlabs/puppet/ssl/certs/ca.pem
Error: /File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]/owner: change from 
'puppetdb' to 'puppet' failed: Failed to set owner to '998': Operation not 
permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
Error: Failed to set group to '998': Operation not permitted @ apply2files 
- /etc/puppetlabs/puppet/ssl/certs/ca.pem
Error: /File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]/group: change from 
'puppetdb' to 'puppet' failed: Failed to set group to '998': Operation not 
permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
Error: Could not prepare for execution: Got 3 failure(s) while 
initializing: 
File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]: 
change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998': 
Operation not permitted @ apply2files - 
/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem; 
File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]: 
change from 'puppetdb' to 'puppet' failed: Failed to set group to '998': 
Operation not permitted @ apply2files - 
/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem; 
File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]: 
change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998': 
Operation not permitted @ apply2files - 
/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem; 
File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]: 
change from 'puppetdb' to 'puppet' failed: Failed to set group to '998': 
Operation not permitted @ apply2files - 
/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem; 
File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]: change from 'puppetdb' to 
'puppet' failed: Failed to set owner to '998': Operation not permitted @ 
apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem; 
File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]: change from 'puppetdb' to 
'puppet' failed: Failed to set group to '998': Operation not permitted @ 
apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
```

On Monday, February 1, 2021 at 1:35:02 PM UTC+11 comport3 wrote:

>
> It seems the puppet agent, when invoked by the service or manually, is 
> resetting the permissions on the files in the puppetdb ssldir 
> (/etc/puppetlabs/puppetdb/ssl/*.pem) from puppetdb:puppetdb to 
> puppet:puppet AND the mode on the 
> mode on the 'private.pem' file to 0640, which means the next time the 
> puppetdb service attempts to start, it fails due to a lack of permission.
>
> This only seems to have come up in the past week or so, as we've only just 
> started observing it, and causing problems. We have a temporary workaround 
> where we chown the files back to puppetdb, start PuppetDB and that's fine, 
> but next puppet agent invocation causes the above issue.
>
> Has anyone else observed this problem? Is it a bug?
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users"

[Puppet Users] puppetdb ssldir chown is breaking PuppetDB

[comport3]

It seems the puppet agent, when invoked by the service or manually, is 
resetting the permissions on the files in the puppetdb ssldir 
(/etc/puppetlabs/puppetdb/ssl/*.pem) from puppetdb:puppetdb to 
puppet:puppet AND the mode on the 
mode on the 'private.pem' file to 0640, which means the next time the 
puppetdb service attempts to start, it fails due to a lack of permission.

This only seems to have come up in the past week or so, as we've only just 
started observing it, and causing problems. We have a temporary workaround 
where we chown the files back to puppetdb, start PuppetDB and that's fine, 
but next puppet agent invocation causes the above issue.

Has anyone else observed this problem? Is it a bug?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/be8dffc3-c4cc-41b6-8c91-ad2182e7efd2n%40googlegroups.com.

[Puppet Users] Re: puppetdb failover - implement ca self signed

[comport3]

You will need to enable DNS alt names in your CA config, and issue a few 
names per server - likely including a common one shared by all nodes such 
as "puppetdb.domain.example".
https://puppet.com/docs/puppetserver/6.12.2/scaling_puppet_server.html => 
dns_alt_names
Then you'll need to go through the steps to (re)configure your PuppetDB SSL 
setup. This is usually replacing the 'ssl-key', 'ssl-cert' and 
'ssl-ca-cert' defined in your jetty.ini config.
On my local setup this is located under /etc/puppetlabs/puppetdb/ssl/, use 
the same permissions as the old setup, then restart the 'puppetdb' services.
On Wednesday, January 20, 2021 at 3:32:54 AM UTC+11 Nerbolff wrote:

> Hello everyone. for security reasons. we decided to get 2 puppetdb servers 
> up and running. there will be a setup with *master* and *slave*.
>
> We thought of using our load balancer to perform this operation. So we 
> need a *cname* with a valid self-generated certificate. ie:   
> puppetdb.internet.net
>
>  
> Here's how I think I'm going to achieve it: 
>
>- I generated my puppetdb cert via the puppetca:
>
> $ sudo puppetserver ca generate --certname puppetdb.internet.net
> Successfully saved private key for puppetdb.internet.net to 
> /etc/puppetlabs/puppet/ssl/private_keys/puppetdb.internet.net.pem
> Successfully saved public key for puppetdb.internet.net to 
> /etc/puppetlabs/puppet/ssl/public_keys/puppetdb.internet.net.pem
> Successfully submitted certificate request for puppetdb.internet.net
> Error:
> Signed certificate puppetdb.internet.net could not be found on the CA
> Successfully signed certificate request for puppetdb.internet.net
> Successfully saved certificate for puppetdb.internet.net to 
> /etc/puppetlabs/puppet/ssl/certs/puppetdb.internet.net.pem
>
>
> Then I copied over the freshly selfsigned cert from puppetca to puppetDB.
>  I changed the */etc/puppetlabs/puppetdb/conf.d/jetty.ini* like this : 
>
> ssl-key = /etc/puppetlabs/puppet/ssl/private_keys/puppetdb.internet.net.pem
> ssl-cert = /etc/puppetlabs/puppet/ssl/public_keys/puppetdb.internet.net.pem
> ssl-ca-cert = /etc/puppetlabs/puppet/ssl/certs/puppetdb.internet.net.pem
>
> restarting my puppetdb, I get an error about certification 
> implementation.  error is not clear. java errors
>
> At the end,  my goal is to start puppetdb with the certificate 
> *puppetdb.internet.net 
>  *loaded. then the puppetmaster didn't 
> complain about the puppetca certificate. 
>
> Does someone have any idea?
> Thanks.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/942f949f-afb8-4fda-8e2b-3ab9cb731095n%40googlegroups.com.

[Puppet Users] puppetdb v7 test: no such file to load -- puppet/util/puppetdb

[comport3]

Whilst trying to test a new Puppet v7.0.0 master (which is OK) and 
PuppetDB, I get the following on PuppetDB:

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: 
Internal Server Error: org.jruby.exceptions.LoadError: (LoadError) no such 
file to load -- puppet/util/puppetdb

Copying 'puppetdb.rb' to the path: 
'/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/util' fixes this issue.

I'm using the latest version (from Forge) of Puppetserver and Puppetdb 
modules on Ubuntu 20.04.

Any idea what I'm doing wrong?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/ec0a5f33-88cf-4b0e-866f-13747e8f0033n%40googlegroups.com.

[Puppet Users] Upgrading puppet on servers with NOOP

[comport3]

Puppet bolt might be what you're after if there's a privileged key trust in 
place..

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/e71b03a6-bf68-481b-b0fa-208b81e28df5%40googlegroups.com.

Re: [Puppet Users] Puppet on Ubuntu Focal

[comport3]

Thank you Justin, looking forward to that release tomorrow if there's no 
blockers. Please put us down as "very interested" when the Puppet Server / 
Master binaries would be available too - we currently have 2 data centers 
lined up for rollout on this platform+OS combo, and another in the planning 
stage.

On Thursday, April 30, 2020 at 3:20:17 AM UTC+10, Justin Stoller wrote:
>
>
>
> On Tue, Apr 28, 2020 at 4:46 PM comport3 > 
> wrote:
>
>> Thanks for the update Gabriel, appreciated. Do you know when v6.15.0 is 
>> expected to be release, even approximately?
>>
>
> Hopefully tomorrow ( : 
>
> We're double checking things now for the release and unless we find a 
> blocker that's when it will go out.
>
> FWIW, that will be for the agent, we haven't made a decision if it will be 
> a supported master platform yet.
>
> In general we try to have agents available for the next FOSS release after 
> an OS update comes out (~1 month), though some systems require more work 
> than others. After we get agent support we evaluate master support but 
> that's more of a business decision that depends on user demand.
>
> HTH,
> Justin
>
>
>> On Sunday, April 26, 2020 at 6:05:40 PM UTC+10, Gabriel Nagy wrote:
>>>
>>> Hi,
>>>
>>> Focal support will be added in the next puppet release (6.15.0). You can 
>>> still use the nightly builds in the meantime: 
>>> http://nightlies.puppet.com/apt/
>>>
>>> Thanks,
>>> Gabriel
>>>
>>>
>>> On Sun, Apr 26, 2020, 10:55 comport3  wrote:
>>>
>>>> This is the same as my experience on Friday - the release file is there 
>>>> but the packages are not yet available.
>>>>
>>>> The 'bionic' release and binaries work perfectly well though if it gets 
>>>> you past this step...
>>>>
>>>> On Sunday, April 26, 2020 at 1:07:14 AM UTC+10, Arpit sharma wrote:
>>>>>
>>>>>
>>>>> Actually I am using puppet as a standalone.
>>>>>
>>>>> I ran 
>>>>> *wget http://apt.puppetlabs.com/puppet6-release-focal.deb 
>>>>> <http://apt.puppetlabs.com/puppet6-release-focal.deb>*
>>>>> *dpkg -i puppet6-release-focal.deb *
>>>>> *apt update*
>>>>>
>>>>> then when I ran 
>>>>> *apt install puppet-agent*
>>>>> This was the error
>>>>>
>>>>> Package puppet-agent is not available, but is referred to by another 
>>>>> package.
>>>>> This may mean that the package is missing, has been obsoleted, or
>>>>> is only available from another source
>>>>>
>>>>> E: Package 'puppet-agent' has no installation candidate
>>>>>
>>>>> and when I ran 
>>>>> apt install puppet it again installed
>>>>> *puppet -V*
>>>>> /usr/lib/ruby/vendor_ruby/puppet/util.rb:461: warning: URI.escape is 
>>>>> obsolete
>>>>> 5.5.10
>>>>>
>>>>> Few questions
>>>>> What is the difference between puppet and puppet-agent
>>>>> What is the difference between puppet in apt universe and the puppet 
>>>>> installed after adding the given repo.
>>>>> On Saturday, April 25, 2020 at 4:46:58 PM UTC+5:30, Martin Alfke wrote:
>>>>>>
>>>>>> Are you using system ruby, installing puppet as a Ruby gem? 
>>>>>> No need to do this. 
>>>>>> Puppet Agent ships required ruby version. 
>>>>>> Just add the repo (
>>>>>> http://apt.puppetlabs.com/puppet6-release-focal.deb) and then 
>>>>>> install puppet-agent package. 
>>>>>>
>>>>>> hth, 
>>>>>> Martin 
>>>>>>
>>>>>>
>>>>>> > On 24. Apr 2020, at 17:27, Arpit sharma  wrote: 
>>>>>> > 
>>>>>> > Since Focal ships with Ruby 2.7 I am having trouble  using puppet 
>>>>>> on Focal 
>>>>>> > Mostly related to this issue 
>>>>>> > https://tickets.puppetlabs.com/browse/PUP-10247 
>>>>>> > When can we expect to have a stable version for Focal? 
>>>>>> > 
>>>>>> > -- 
>>>>>> > You received this message because you are subscribed to the Google 
>>>>>> Groups "Puppet Users" group. 
&g

Re: [Puppet Users] Puppet on Ubuntu Focal

[comport3]

Thanks for the update Gabriel, appreciated. Do you know when v6.15.0 is 
expected to be release, even approximately?

On Sunday, April 26, 2020 at 6:05:40 PM UTC+10, Gabriel Nagy wrote:
>
> Hi,
>
> Focal support will be added in the next puppet release (6.15.0). You can 
> still use the nightly builds in the meantime: 
> http://nightlies.puppet.com/apt/
>
> Thanks,
> Gabriel
>
>
> On Sun, Apr 26, 2020, 10:55 comport3 > 
> wrote:
>
>> This is the same as my experience on Friday - the release file is there 
>> but the packages are not yet available.
>>
>> The 'bionic' release and binaries work perfectly well though if it gets 
>> you past this step...
>>
>> On Sunday, April 26, 2020 at 1:07:14 AM UTC+10, Arpit sharma wrote:
>>>
>>>
>>> Actually I am using puppet as a standalone.
>>>
>>> I ran 
>>> *wget http://apt.puppetlabs.com/puppet6-release-focal.deb 
>>> <http://apt.puppetlabs.com/puppet6-release-focal.deb>*
>>> *dpkg -i puppet6-release-focal.deb *
>>> *apt update*
>>>
>>> then when I ran 
>>> *apt install puppet-agent*
>>> This was the error
>>>
>>> Package puppet-agent is not available, but is referred to by another 
>>> package.
>>> This may mean that the package is missing, has been obsoleted, or
>>> is only available from another source
>>>
>>> E: Package 'puppet-agent' has no installation candidate
>>>
>>> and when I ran 
>>> apt install puppet it again installed
>>> *puppet -V*
>>> /usr/lib/ruby/vendor_ruby/puppet/util.rb:461: warning: URI.escape is 
>>> obsolete
>>> 5.5.10
>>>
>>> Few questions
>>> What is the difference between puppet and puppet-agent
>>> What is the difference between puppet in apt universe and the puppet 
>>> installed after adding the given repo.
>>> On Saturday, April 25, 2020 at 4:46:58 PM UTC+5:30, Martin Alfke wrote:
>>>>
>>>> Are you using system ruby, installing puppet as a Ruby gem? 
>>>> No need to do this. 
>>>> Puppet Agent ships required ruby version. 
>>>> Just add the repo (http://apt.puppetlabs.com/puppet6-release-focal.deb) 
>>>> and then install puppet-agent package. 
>>>>
>>>> hth, 
>>>> Martin 
>>>>
>>>>
>>>> > On 24. Apr 2020, at 17:27, Arpit sharma  wrote: 
>>>> > 
>>>> > Since Focal ships with Ruby 2.7 I am having trouble  using puppet on 
>>>> Focal 
>>>> > Mostly related to this issue 
>>>> > https://tickets.puppetlabs.com/browse/PUP-10247 
>>>> > When can we expect to have a stable version for Focal? 
>>>> > 
>>>> > -- 
>>>> > You received this message because you are subscribed to the Google 
>>>> Groups "Puppet Users" group. 
>>>> > To unsubscribe from this group and stop receiving emails from it, 
>>>> send an email to puppet...@googlegroups.com. 
>>>> > To view this discussion on the web visit 
>>>> https://groups.google.com/d/msgid/puppet-users/e8161f0c-d79b-4ab7-b592-358678380a1d%40googlegroups.com.
>>>>  
>>>>
>>>>
>>>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to puppet...@googlegroups.com .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/puppet-users/26a5edad-bf96-41ae-80d7-6d68f378b223%40googlegroups.com
>>  
>> <https://groups.google.com/d/msgid/puppet-users/26a5edad-bf96-41ae-80d7-6d68f378b223%40googlegroups.com?utm_medium=email_source=footer>
>> .
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/c524c6b2-6321-481d-bec8-8aa27453e13d%40googlegroups.com.

[Puppet Users] Re: PuppetDB : unable to upgrade 6.5 to 6.9 => SSL errors

[comport3]

"Redo SSL setup after changing certificates 

If you’ve recently changed the certificates in use by the PuppetDB server, 
you’ll also need to update the SSL configuration for PuppetDB itself.

If you’ve installed PuppetDB from Puppet packages, you can simply re-run 
the puppetdb ssl-setup command. Otherwise, you’ll need to again perform the 
SSL configuration steps outlined in the installation instructions 
."
https://puppet.com/docs/puppetdb/latest/maintain_and_tune.html

On Monday, April 27, 2020 at 5:17:39 PM UTC+10, Yvan Broccard wrote:
>
> Hi,
>
> I'm struggling with a simple update of PuppetDB since a couple of days, 
> without finding the problem.
> I have 4 PuppetServers running Puppetserver 6.9 
> (puppetserver-6.9.0-1.el7.noarch). One has the CA role, the 3 others are 
> simple masters. I have one dedicated PuppetDB server 
> running puppetdb-6.5.0-1.
>
> Everything is working like a charm since a couple of years. It was updated 
> from Puppet 3, 4 and 6 without a glitch. Everything is running on CentOS 7.
>
> Now, when I want to update PuppetDb from 6.5 to 6.9, nothing works anymore.
>
> All nodes are complaining with these messages :
>
> Warning: Unable to fetch my node definition, but the agent run will 
> continue:
> Warning: Error 500 on SERVER: Server Error: Could not retrieve facts for 
> vmlabybr06.staging.rsvgnw.local: Failed to find facts from PuppetDB at 
> vmprdpuppet41.rsvgnw.local:8140: Failed to execute 
> '/pdb/query/v4/nodes/vmlabybr06.staging.rsvgnw.local/facts' on at least 1 
> of the following 'server_urls': https://vmctldeploy20.rsvgnw.local:8081
> Info: Retrieving pluginfacts
> Info: Retrieving plugin
> Info: Retrieving locales
> Info: Loading facts
> Error: Could not retrieve catalog from remote server: Error 500 on SERVER: 
> Server Error: Failed to execute 
> '/pdb/cmd/v1?checksum=5da252cdae0fc1737726e9ace846d74856395703=5=vmlabybr06.staging.rsvgnw.local=replace_facts=2020-04-09T13:15:44.382Z'
>  
> on at least 1 of the following 'server_urls': 
> https://vmctldeploy20.rsvgnw.local:8081
> Warning: Not using cache on failed catalog
> Error: Could not retrieve catalog; skipping run
>
>
> In the server log I get this :
>
> 2020-04-09T15:22:45.169+02:00 WARN  [qtp1002336767-143] 
> [c.p.h.c.i.PersistentSyncHttpClient] Error executing http request
> javax.net.ssl.SSLException: Received fatal alert: handshake_failure
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1647)
> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1615)
> at 
> sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1781)
> at 
> sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1070)
> at 
> sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:896)
> at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766)
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
> at 
> org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap(SSLIOSession.java:271)
> at 
> org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:316)
> at 
> org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:503)
> at 
> org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)
> at 
> org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
> at 
> org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
> at 
> org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
> at 
> org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
> at 
> org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
> at 
> org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588)
> at java.lang.Thread.run(Thread.java:748)
> 2020-04-09T15:22:45.171+02:00 WARN  [qtp1002336767-143] [puppetserver] 
> Puppet Error connecting to vmctldeploy20.rsvgnw.local on 8081 at route 
> /pdb/cmd/v1?checksum=0f8f2f1e474b2f551f6dc656bff34f1e43e56f6b=8=vmlabvmt01.rsvgnw.local=store_report=2020-04-09T13:22:45.130Z,
>  
> error message received was 'Error executing http request'. Failing over to 
> the next PuppetDB server_url in the 'server_urls' list
> 2020-04-09T15:22:45.172+02:00 ERROR [qtp1002336767-143] [puppetserver] 
> Puppet Failed to execute 
> '/pdb/cmd/v1?checksum=0f8f2f1e474b2f551f6dc656bff34f1e43e56f6b=8=vmlabvmt01.rsvgnw.local=store_report=2020-04-09T13:22:45.130Z'
>  
> on at least 1 of the following 'server_urls': 
> https://vmctldeploy20.rsvgnw.local:8081
>
>
> I have checked a few things :
> - Updated puppetdb-termini on the puppet-master from 6.5 to 6.9 (no 

Re: [Puppet Users] Puppet on Ubuntu Focal

[comport3]

This is the same as my experience on Friday - the release file is there but 
the packages are not yet available.

The 'bionic' release and binaries work perfectly well though if it gets you 
past this step...

On Sunday, April 26, 2020 at 1:07:14 AM UTC+10, Arpit sharma wrote:
>
>
> Actually I am using puppet as a standalone.
>
> I ran 
> *wget http://apt.puppetlabs.com/puppet6-release-focal.deb 
> *
> *dpkg -i puppet6-release-focal.deb *
> *apt update*
>
> then when I ran 
> *apt install puppet-agent*
> This was the error
>
> Package puppet-agent is not available, but is referred to by another 
> package.
> This may mean that the package is missing, has been obsoleted, or
> is only available from another source
>
> E: Package 'puppet-agent' has no installation candidate
>
> and when I ran 
> apt install puppet it again installed
> *puppet -V*
> /usr/lib/ruby/vendor_ruby/puppet/util.rb:461: warning: URI.escape is 
> obsolete
> 5.5.10
>
> Few questions
> What is the difference between puppet and puppet-agent
> What is the difference between puppet in apt universe and the puppet 
> installed after adding the given repo.
> On Saturday, April 25, 2020 at 4:46:58 PM UTC+5:30, Martin Alfke wrote:
>>
>> Are you using system ruby, installing puppet as a Ruby gem? 
>> No need to do this. 
>> Puppet Agent ships required ruby version. 
>> Just add the repo (http://apt.puppetlabs.com/puppet6-release-focal.deb) 
>> and then install puppet-agent package. 
>>
>> hth, 
>> Martin 
>>
>>
>> > On 24. Apr 2020, at 17:27, Arpit sharma  wrote: 
>> > 
>> > Since Focal ships with Ruby 2.7 I am having trouble  using puppet on 
>> Focal 
>> > Mostly related to this issue 
>> > https://tickets.puppetlabs.com/browse/PUP-10247 
>> > When can we expect to have a stable version for Focal? 
>> > 
>> > -- 
>> > You received this message because you are subscribed to the Google 
>> Groups "Puppet Users" group. 
>> > To unsubscribe from this group and stop receiving emails from it, send 
>> an email to puppet...@googlegroups.com. 
>> > To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/puppet-users/e8161f0c-d79b-4ab7-b592-358678380a1d%40googlegroups.com.
>>  
>>
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/26a5edad-bf96-41ae-80d7-6d68f378b223%40googlegroups.com.

Re: [Puppet Users] PuppetDB latest version has disabled APIv1 metrics

[comport3]

Actually attempting to add the mentioned config to file 
'/etc/puppetlabs/puppetserver/conf.d/metrics.conf' results in the 
puppetserver service being unable to start, and this is logged -
clojure.lang.ExceptionInfo: Value does not match schema: 
{:metrics-webservice {:mbeans disallowed-key}}

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/2aa7db0c-7cba-44fe-a423-70f21efab2e4%40googlegroups.com.

Re: [Puppet Users] PuppetDB latest version has disabled APIv1 metrics

[comport3]

Thanks for this info, I think it points in the right direction.

Are you able to provide any example config or a link to how to action this?

It's not immediately obvious.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/fbb6d444-77e2-4f05-bd23-1028015ccdb7%40googlegroups.com.

[Puppet Users] PuppetDB latest version has disabled APIv1 metrics

[comport3]

The latest version of PuppetDB v6.9.1 has removed localhost access to the 
v1 API metrics.
Ref https://puppet.com/security/cve/CVE-2020-7943/
https://puppet.com/docs/puppet/latest/release_notes_puppet.html#puppet-resolved-issues-x.12.0

Given it's only "disabled by default", this suggests there is (or, should 
be) a way to re-enable it, so we can continue using this excellent Icinga2 
plugin -
https://github.com/xorpaul/check_puppetdb/

Does anyone know how to re-enable the presently disabled functionality?

This page should have info in my opinion, but doesn't 
https://puppet.com/docs/puppetdb/latest/api/metrics/v1/mbeans.html

Issue tracked here: https://github.com/xorpaul/check_puppetdb/issues/14

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/bd6f9954-9e51-46d4-90f8-0d5fa407402b%40googlegroups.com.

[Puppet Users] Re: Puppet server won't start

[comport3]

What are the server specs? Any clues in /var/log/messages or 
/var/log/syslog to give clues if it's an OOM error?

On Thursday, September 5, 2019 at 5:16:26 AM UTC+10, Prentice Bisbal wrote:
>
> I'm doing a fresh install of Puppet6 on CentOS 7.6: 
>
> # rpm -qa | grep puppet 
> puppetserver-6.4.0-1.el7.noarch 
> puppetdb-termini-6.3.4-1.el7.noarch 
> puppet-bolt-1.26.0-1.el7.x86_64 
> puppet-client-tools-1.2.6-1.el7.x86_64 
> puppetdb-6.3.4-1.el7.noarch 
> puppet-agent-6.8.1-1.el7.x86_64 
> puppet6-release-6.0.0-5.el7.noarch 
>
> # cat /etc/redhat-release 
> CentOS Linux release 7.6.1810 (Core) 
>
> I believe I have everything configured correctly, but when I try to 
> start puppetserver, it fails to start: 
>
> # systemctl start puppetserver 
> Job for puppetserver.service failed because the control process exited 
> with error code. See "systemctl status puppetserver.service" and 
> "journalctl -xe" for details. 
>
> The output of "systemctl status ..." and "journalctl -xe" aren't very 
> helpful to me: 
>
> # systemctl status puppetserver.service 
> ● puppetserver.service - puppetserver Service 
> Loaded: loaded (/usr/lib/systemd/system/puppetserver.service; 
> enabled; vendor preset: disabled) 
> Active: activating (start) since Wed 2019-09-04 15:10:53 EDT; 19s ago 
>Control: 21586 (bash) 
>  Tasks: 39 (limit: 4915) 
> CGroup: /system.slice/puppetserver.service 
> ├─21586 bash 
> /opt/puppetlabs/server/apps/puppetserver/cli/apps/start 
> ├─21593 /usr/bin/java -Xms2g -Xmx2g 
> -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger 
> -Djava.security.egd=/dev/urandom -XX:OnOutOfMemoryError=kill -9 %p -cp 
> /... 
> └─21708 sleep 1 
>
> Sep 04 15:10:53 puppet.pppl.gov systemd[1]: Starting puppetserver 
> Service... 
>
> # journalctl -xe 
> Sep 04 15:11:58 puppet.pppl.gov puppetserver[21871]: at 
> org.jruby.RubyKernel.require(org/jruby/RubyKernel.java:970) 
> Sep 04 15:11:58 puppet.pppl.gov puppetserver[21871]: at 
> RUBY.require(uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/rubygems/core_ext/kernel_require.rb:59)
>  
>
> Sep 04 15:11:58 puppet.pppl.gov puppetserver[21871]: at 
> RUBY.(uri:classloader:/puppetserver-lib/puppet/server.rb:1) 
> Sep 04 15:11:58 puppet.pppl.gov puppetserver[21871]: at 
> org.jruby.RubyKernel.require(org/jruby/RubyKernel.java:970) 
> Sep 04 15:11:58 puppet.pppl.gov puppetserver[21871]: at 
> RUBY.(root)(uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/rubygems/core_ext/kernel_require.rb:1)
>  
>
> Sep 04 15:11:58 puppet.pppl.gov puppetserver[21871]: at 
> RUBY.(uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/rubygems/core_ext/kernel_require.rb:59)
>  
>
> Sep 04 15:11:58 puppet.pppl.gov puppetserver[21871]: Background process 
> 21878 exited before start had completed 
> Sep 04 15:11:58 puppet.pppl.gov systemd[1]: puppetserver.service: 
> control process exited, code=exited status=1 
> Sep 04 15:11:58 puppet.pppl.gov systemd[1]: Failed to start puppetserver 
> Service. 
> -- Subject: Unit puppetserver.service has failed 
> -- Defined-By: systemd 
> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel 
> -- 
> -- Unit puppetserver.service has failed. 
> -- 
> -- The result is failed. 
> Sep 04 15:11:58 puppet.pppl.gov systemd[1]: Unit puppetserver.service 
> entered failed state. 
> Sep 04 15:11:58 puppet.pppl.gov systemd[1]: puppetserver.service failed. 
> Sep 04 15:11:58 puppet.pppl.gov systemd[1]: puppetserver.service holdoff 
> time over, scheduling restart. 
> Sep 04 15:11:58 puppet.pppl.gov systemd[1]: Stopped puppetserver Service. 
> -- Subject: Unit puppetserver.service has finished shutting down 
> -- Defined-By: systemd 
> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel 
> -- 
> -- Unit puppetserver.service has finished shutting down. 
> Sep 04 15:11:58 puppet.pppl.gov systemd[1]: Starting puppetserver 
> Service... 
> -- Subject: Unit puppetserver.service has begun start-up 
> -- Defined-By: systemd 
> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel 
> -- 
> -- Unit puppetserver.service has begun starting up. 
>
> However, the output of 'ps -ef | grep puppet' shows it's running: 
>
> # ps -ef | grep puppet 
> puppet   22299 1  0 15:12 ?00:00:00 bash 
> /opt/puppetlabs/server/apps/puppetserver/cli/apps/start 
> puppet   22306 22299 99 15:12 ?00:00:08 /usr/bin/java -Xms2g 
> -Xmx2g -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger 
> -Djava.security.egd=/dev/urandom -XX:OnOutOfMemoryError=kill -9 %p -cp 
> /opt/puppetlabs/server/apps/puppetserver/puppet-server-release.jar:/opt/puppetlabs/server/data/puppetserver/jars/*
>  
>
> clojure.main -m puppetlabs.trapperkeeper.main --config 
> /etc/puppetlabs/puppetserver/conf.d --bootstrap-config 
> /etc/puppetlabs/puppetserver/services.d/,/opt/puppetlabs/server/apps/puppetserver/config/services.d/
>  
>
> --restart-file 

[Puppet Users] Re: Puppet Platform 6.7.0 is now available!

[comport3]

https://tickets.puppetlabs.com/browse/PA-2809

On Wednesday, July 24, 2019 at 6:34:19 AM UTC+10, Puppet Product Updates 
wrote:
>
> This release contains bug fixes and enhancements, notably:
>
> Puppet 6.7 adds new `ca_fingerprint` setting verifies the CA bundle 
> download against a fingerprint.
> The new Puppet Server 6.5 release includes an upgrade to Jetty. With this 
> update, Puppet Server now defaults to stronger FIPS-compliant ciphers, but 
> you must first remove the weak ciphers. We urge all Puppet Server users to 
> update to this new version and remove the outdated cipher suite. See the 
> Puppet Server release notes (
> https://puppet.com/docs/puppetserver/6.5/release_notes.html) for details.
>  You can see the full list of changes in the release notes: 
> https://puppet.com/docs/puppet/6.7/release_notes_puppet.html
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/277dd38e-586d-4bd0-8016-b9be8f47bc11%40googlegroups.com.

[Puppet Users] Re: Don't upgrade to Puppet v6.7.0 if you use the camptocamp-postfix module

[comport3]

https://tickets.puppetlabs.com/browse/PA-2809

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/aa458bf2-7e7b-44ca-ade6-0f9fd833e763%40googlegroups.com.

[Puppet Users] Don't upgrade to Puppet v6.7.0 if you use the camptocamp-postfix module

[comport3]

The new version has introduced a regression that has broken our MTA 
(Postfix), based on the camptocamp-postfix module.

Steps to reproduce on Ubuntu 18.04 LTS:
```
https://apt.puppetlabs.com/puppet6-release-bionic.deb
dpkg -i puppet6-release-bionic.deb
apt update;apt install -y puppet-agent
puppet module install camptocamp-postfix --version 1.8.0
puppet apply -e 'include ::postfix'
```

Output: Error: Could not prefetch mailalias provider 'aliases': Could not 
parse line "postmaster:root" (file: /etc/aliases, line: 3)
Error: Failed to apply catalog: Could not parse line "postmaster:root" 
(file: /etc/aliases, line: 3)

Revert to v6.6.0 and everything works normally, as it did yesterday.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/924d5041-41ad-4e8b-aa01-a23fd5718ca1%40googlegroups.com.

[Puppet Users] Re: Puppet Platform 6.7.0 is now available!

[comport3]

This has introduced a regression that has broken our MTA (Postfix), based 
on the camptocamp-postfix module.

Steps to reproduce on Ubuntu 18.04 LTS:
```
https://apt.puppetlabs.com/puppet6-release-bionic.deb
dpkg -i puppet6-release-bionic.deb
apt update;apt install -y puppet-agent
puppet module install camptocamp-postfix --version 1.8.0
puppet apply -e 'include ::postfix'
```

Output: Error: Could not prefetch mailalias provider 'aliases': Could not 
parse line "postmaster:root" (file: /etc/aliases, line: 3)
Error: Failed to apply catalog: Could not parse line "postmaster:root" 
(file: /etc/aliases, line: 3)

On Wednesday, July 24, 2019 at 6:34:19 AM UTC+10, Puppet Product Updates 
wrote:
>
> This release contains bug fixes and enhancements, notably:
>
> Puppet 6.7 adds new `ca_fingerprint` setting verifies the CA bundle 
> download against a fingerprint.
> The new Puppet Server 6.5 release includes an upgrade to Jetty. With this 
> update, Puppet Server now defaults to stronger FIPS-compliant ciphers, but 
> you must first remove the weak ciphers. We urge all Puppet Server users to 
> update to this new version and remove the outdated cipher suite. See the 
> Puppet Server release notes (
> https://puppet.com/docs/puppetserver/6.5/release_notes.html) for details.
>  You can see the full list of changes in the release notes: 
> https://puppet.com/docs/puppet/6.7/release_notes_puppet.html
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/53ea70fd-4c16-4a9f-aeb5-a0e16c9203a2%40googlegroups.com.

[Puppet Users] Re: Pastebin like service for sharing Profiles?

[comport3]

Thanks Martin, the PSIC repos are excellent - thanks!

And Tim, the logic of having the p_ modules avoiding namespace collisions 
also makes perfect sense at scale.

I was thinking more of a searchable, more goal oriented view of sharing 
Profiles that implement 1 or more technologies to form a "stack".

Eg, 'Securing SSH', 'Achieving an A-Grade with NGiNX TLS on Qualys SSL 
test, with maximum compatibility', 'WordPress/Magento/Drupal battle tested 
hosting stacks', etc.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/71988a6c-d0f4-4f04-a768-b3f4caf49bce%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Pastebin like service for sharing Profiles?

[comport3]

Presumably the majority of participants in this group are using the 'Roles 
and Profiles' patterns in their Puppet deployments.

Although there is little to be gained from the Roles portion, often the way 
technologies are integrated is driven by the logic in the Profiles section.

Has there been a discussion (or better, an existing service or method) of 
freely sharing and exchanging those Profiles?

I think observing and reusing (and hopefully, improving) the logic in these 
would benefit all in the community.

Example: https://pastebin.com/gkFibUQt

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/37aacab1-3997-47fd-81e8-aec0fd5b4ce8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Windows custom fact as a batch file

[comport3]

Is there anything else that is needed to have a custom facter fact as a 
batch file?

cat lib/facter/ssh_hostkey.bat 
```
@ECHO OFF
for /f "tokens=2" %%a in ('type C:\ProgramData\ssh\ssh_host_ecdsa_key.pub') 
do (set hostkey=%%a)
Echo ssh_hostkey=%hostkey%
```

Executes fine on the Windows host and returns the expected value, but 
doesn't show up at all using 'facter -p', 'puppet facts' or 'facter 
ssh_hostkey'.

What am I missing?

The same command works in PowerShell if that's easier to implement ?
```
get-content C:\ProgramData\ssh\ssh_host_ecdsa_key.pub| 
ForEach-Object{$_.Split(" ")[1]}
```

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5930fe75-c809-4e26-86b5-83f13c8295cb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Need help! Stuck on installing Azure client to agent

[comport3]

You require Package[azurerepo] but haven't declared it anywhere.

Try either changing:
  require => Package['azurerepo']
to
  require => Yumrepo['azurerepo']

or add a package definition, eg.

package { 'azurerepo': ensure => present}

On Tuesday, March 26, 2019 at 9:11:17 PM UTC+11, banth...@truedigital.com 
wrote:
>
> Hi! I've been trying to install Azure client to agent by using puppet 
> following this 
> https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-yum?view=azure-cli-latest
>
> Already installed on Master but stuck on installing to agent.
>
> from the guideline above it has 3 parts
> 1. import Microsoft repository key by using command 
> sudo rpm --import https://packages.microsoft.com/keys/microsoft.asc
>
> 2. Create local azure-cli repository information.
> Since Azure installed on master so I copy the local repo and move to 
> specific path which is in 
> */modules/os_preparation/files/repolist/azure-cli.repo*
>
>
> 3. Install with Yum command
> sudo yum install azure-cli
>
> And here're my code
>
> class os_preparation::azure_install {
>  
>  #Import the Microsoft repository key.
>  yumrepo { 'azurerepo':
> baseurl => '
> https://packages.microsoft.com/keys/microsoft.asc',
> gpgcheck=>  0
>  }
>
>  file { 'azure-cli.repo in /etc/yum.repos.d/':
> ensure  => 'file',
> path=> '/etc/yum.repos.d/azure-cli.repo',
> owner   => 'root',
> group   => 'root',
> mode=> '644',
> source  => 
> "puppet:///modules/os_preparation/files/repolist/azure-cli.repo",
> require => Package['azurerepo']
> }
>
>
> exec { 'yumrepolist':
> command => 'yum -y repolist',
> path => '/etc/yum.repos.d/azure-cli.repo'
> }
>
>
>  #install azure client
>  exec { 'install-azure':
>  command => 'yum -y install azure-cli',
>  path => '/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:',
> unless => 'az --help',
> require => File['/etc/yum.repos.d/azure-cli.repo']
>  }
> }
>
> ps. In part 1 not sure for azurerepo, It might be package or yumrepo ?
>
> and errors from some puppet agent
>
> [root@mtg8-dt-02 ~]# puppet agent -t
> 2019-03-26 16:26:58.215715 WARN puppetlabs.facter - locale environment 
> variables were bad; continuing with LANG=C LC_ALL=C
> Info: Using configured environment 'production'
> Info: Retrieving pluginfacts
> Info: Retrieving plugin
> Info: Retrieving locales
> Error: Could not retrieve catalog from remote server: Error 500 on SERVER: 
> Server Error: Could not find resource 'Package[azurerepo]' in parameter 
> 'require' (file: /etc/puppetlabs/code/environments/production/modules/
> os_preparation/manifests/azure_install.pp, line: 17) on node mtg8-dt-
> 02.tap.true.th
> Warning: Not using cache on failed catalog
> Error: Could not retrieve catalog; skipping run
>
> Any suggestions would be great, I really appreciate 
> Thanks
>
>
> 
>
> *Important*
>
> *Confidentiality:* This Information is intended for the above-named 
> person and may contain confidential and/or legally privileged material. Any 
> opinions expressed in this information are not necessarily those of the 
> company. If it has come to you in error you must take no action based on 
> it, nor must you copy or show it to anyone; please delete/destroy and 
> inform the sender immediately.
>
> *Monitoring/Viruses*
> True Digital Group and subsidiaries reserves the right to monitor all 
> incoming and outgoing emails via True Digital Group and subsidiaries's 
> systems. Although we have security program to monitor and eliminate virus, 
> we also advise that in keeping with good computing practice the recipient 
> should ensure they are actually virus free.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/f8a988c3-18c1-4fe2-87cb-207dca565e67%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Referencing Deferred functions in Puppet Code or Hiera YAML

[comport3]

Hi Henrik,

You're correct - this sample code precedes getting the Hiera 
function/lookup working, I want to be able to do it in Puppet code first.

I've ended up with the following -
```
 $secret_lookup = Deferred('vault_lookup::lookup', 
["secret/client.example.com", 'https://puppet.example.com:8228'])
  notify {mysql_root: message => Deferred('get', [$secret_lookup, 
'mysql_root_password'])}
```

It returns this error -

*Error: Failed to apply catalog: 'dig' parameter 'data' expects a value of 
type Undef or Collection, got Sensitive[Hash]*
Any ideas?


On Friday, March 8, 2019 at 8:43:55 PM UTC+11, Henrik Lindberg wrote:
>
> On 2019-03-08 03:13, comport3 wrote: 
> > Hi Henrik, 
> > 
> > Thanks for your reply. 
> > 
> > I still don't really understand how to use your example - is it an 
> > additional custom function written in Ruby that would be synchronised 
> > from the master? 
> > 
> I showed a hiera backend that returns Deferred - but it seems that is 
> not really what you were asking about (your example is different). 
>
> > How would this be structured or implemented step by step please? 
> > 
> > This is what's in my current class, with specifically what doesn't work 
> > commented out at the bottom (ignore my custom Vault port, please) - 
> > 
> > class profile::vaulttest { 
> > 
> >   $secret_lookup = Deferred('vault_lookup::lookup', 
> > ["secret/client.example.com", 'https://puppet.example.com:8228']) 
> > 
> >## Works, returns a hashed array of key/value pairs, I want to look 
> > up a SPECIFIC key and it's value, eg 'mysql_root_password' 
> >notify {mysql_root: message => $secret_lookup} 
> > 
> >## Trying to lookup a key within the array, fails with error 
> >## Evaluation Error: Operator '[]' is not applicable to an Object. 
> >#notify {mysql_root: message => $secret_lookup[mysql_root_password]} 
> > 
> > } 
> > 
> > Help?! :-) 
> > 
>
> The reason your commented out code does not work is because you are 
> trying to get the key "mysql_root_password" from a Deferred that has not 
> yet been resolved. (It will be resolved later when the catalog is 
> processed on the agent, but while compiling the Deferred is just an 
> instruction to do something later). 
>
> You need the following: 
>
>message => Deferred('get', [$secret_lookup, 'mysql_root_password']) 
>
> To get what I think you want. 
>
> - henrik 
> > 
> > On Thursday, February 28, 2019 at 4:29:15 AM UTC+11, Henrik Lindberg 
> wrote: 
> > 
> > On 2019-02-27 00:01, comport3 wrote: 
> >  > Hi Henrik and Group, 
> >  > 
> >  > Thank you very much, this sounds like exactly what we are after. 
> > After 
> >  > reviewing 
> > https://puppet.com/docs/puppet/6.3/hiera_custom_backends.html 
> > <https://puppet.com/docs/puppet/6.3/hiera_custom_backends.html> 
> >  > we are a little lost as to how to get started. Does anyone have 
> any 
> >  > example code of using a Customer Backend or Puppet Function in 
> >  > conjunction with a Deferred data type lookup for us to review? 
> > Anything 
> >  > including the Vault lookup logic or some 'proof of concept' code 
> > would 
> >  > be a much welcomed starting point. 
> >  > 
> > 
> > It is actually dead simple - here is an example that returns a hard 
> > coded deferred. The example is written in the Puppet Language, and 
> is 
> > autoloaded just like other functions from "mymodule". 
> > 
> > This simple example is a "data hash" kind of backend - it is called 
> > once 
> > and is expected to return a hash with key => value bindings. 
> > 
> > function mymodule::deferred_example( 
> >   Hash  $options, 
> >   Puppet::LookupContext $context, 
> > ) { 
> >   # Return a hash with key(s) bound to Deferred value(s) 
> >   { 'the_key' => Deferred('vault_lookup', ['the key']) } 
> > } 
> > 
> > Then there are lots of different things you could do. 
> > 
> > The $options hash contains information from hiera.yaml: 
> > - if a path/URI was given or not (and that path existed) 
> > - any custom options given in hiera.yaml for this entry 
> > 
> > This means you could configure what the backend would do based on 
> > either 
> > options given directly (a list of keys for which

Re: [Puppet Users] Referencing Deferred functions in Puppet Code or Hiera YAML

[comport3]

Hi Henrik,

Thanks for your reply.

I still don't really understand how to use your example - is it an 
additional custom function written in Ruby that would be synchronised from 
the master?

How would this be structured or implemented step by step please?

This is what's in my current class, with specifically what doesn't work 
commented out at the bottom (ignore my custom Vault port, please) -

class profile::vaulttest {

 $secret_lookup = Deferred('vault_lookup::lookup', 
["secret/client.example.com", 'https://puppet.example.com:8228'])

  ## Works, returns a hashed array of key/value pairs, I want to look up a 
SPECIFIC key and it's value, eg 'mysql_root_password'
  notify {mysql_root: message => $secret_lookup}

  ## Trying to lookup a key within the array, fails with error
  ## Evaluation Error: Operator '[]' is not applicable to an Object.
  #notify {mysql_root: message => $secret_lookup[mysql_root_password]}

}

Help?! :-)


On Thursday, February 28, 2019 at 4:29:15 AM UTC+11, Henrik Lindberg wrote:
>
> On 2019-02-27 00:01, comport3 wrote: 
> > Hi Henrik and Group, 
> > 
> > Thank you very much, this sounds like exactly what we are after. After 
> > reviewing https://puppet.com/docs/puppet/6.3/hiera_custom_backends.html 
> > we are a little lost as to how to get started. Does anyone have any 
> > example code of using a Customer Backend or Puppet Function in 
> > conjunction with a Deferred data type lookup for us to review? Anything 
> > including the Vault lookup logic or some 'proof of concept' code would 
> > be a much welcomed starting point. 
> > 
>
> It is actually dead simple - here is an example that returns a hard 
> coded deferred. The example is written in the Puppet Language, and is 
> autoloaded just like other functions from "mymodule". 
>
> This simple example is a "data hash" kind of backend - it is called once 
> and is expected to return a hash with key => value bindings. 
>
>function mymodule::deferred_example( 
>  Hash  $options, 
>  Puppet::LookupContext $context, 
>) { 
>  # Return a hash with key(s) bound to Deferred value(s) 
>  { 'the_key' => Deferred('vault_lookup', ['the key']) } 
>} 
>
> Then there are lots of different things you could do. 
>
> The $options hash contains information from hiera.yaml: 
> - if a path/URI was given or not (and that path existed) 
> - any custom options given in hiera.yaml for this entry 
>
> This means you could configure what the backend would do based on either 
> options given directly (a list of keys for which this backend should 
> return a Deferred), or you can use the path to read such data from a 
> file, using say a function to read that file as json from the path in 
> options. 
>
> To use this backend simply enter its name in hiera.yaml like you do for 
> other backend functions. 
>
> Another alternative is to write a backend of "lookup key" kind. The 
> contract there is to return a value per key or that the 
> $context.not_found() is called (if it does not have a value for the key). 
>
> If you go this route, then the function could for example lookup a key 
> in hiera that holds the names of keys to lookup in a deferred way. 
> Or, if you design it so that all deferred parameters can be identified 
> via their name then you could simply return a Deferred for all keys that 
> match a pattern. 
>
> Read all the details starting from here: 
> https://puppet.com/docs/puppet/latest/hiera_custom_backends.html 
>
> Hope this helps. 
> - henrik 
>
>
> -- 
>
> Visit my Blog "Puppet on the Edge" 
> http://puppet-on-the-edge.blogspot.se/ 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/2ecccdee-e130-4f44-b6a1-b1a0c8532bbd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Referencing Deferred functions in Puppet Code or Hiera YAML

[comport3]

Hi Henrik and Group,

Thank you very much, this sounds like exactly what we are after. After 
reviewing https://puppet.com/docs/puppet/6.3/hiera_custom_backends.html we 
are a little lost as to how to get started. Does anyone have any example 
code of using a Customer Backend or Puppet Function in conjunction with a 
Deferred data type lookup for us to review? Anything including the Vault 
lookup logic or some 'proof of concept' code would be a much welcomed 
starting point.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/401d38fc-d80f-48a5-ba2c-d6d2c9040a89%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Referencing Deferred functions in Puppet Code or Hiera YAML

[comport3]

Thank you very much Lindsay, I will lock in some time to digest and 
understand this material.

Are their any Hiera YAML example? The specific use case I'm trying to solve 
is for 'mysql::server::root_password: '.

On Tuesday, February 19, 2019 at 5:21:34 AM UTC+11, Lindsey Smith wrote:
>
>
>
> On Sun, Feb 17, 2019 at 4:17 PM comport3 > 
> wrote:
>
>> Does anyone have any real world examples of referencing Deferred lookups, 
>> either in Puppet code or Hiera that you could share?
>>
>
> Ben Ford just gave a talk on this at Config Management Camp and his slides 
> are here: https://twitter.com/binford2k/status/1092806318501576706
>
> I also gave a talk late last year and if you skip to the middle of the 
> video you can see the agent-side code I used: 
> https://www.brighttalk.com/webcast/15621/335134
>
> Lindsey
>  
>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to puppet-users...@googlegroups.com .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/puppet-users/899f155f-799c-4c32-bad0-9d6f75ce6a23%40googlegroups.com
>>  
>> <https://groups.google.com/d/msgid/puppet-users/899f155f-799c-4c32-bad0-9d6f75ce6a23%40googlegroups.com?utm_medium=email_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/746f0cf7-8e37-4d2c-9e81-f36483027ec6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Referencing Deferred functions in Puppet Code or Hiera YAML

[comport3]

Does anyone have any real world examples of referencing Deferred lookups, 
either in Puppet code or Hiera that you could share?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/899f155f-799c-4c32-bad0-9d6f75ce6a23%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Puppet 6 client lookup secret from Hashicorp Vault

[comport3]

We've made some more progress integrating Puppet 6+ Deferred lookups with 
Vault for secrets storage.

The basic principle we've used for the isolation is to upload and sync a 
Puppet TLS certificate per host, and lookup the relevant keys under there 
for the secret storage.

```
vault write secret/test1.exampledomain.com policies=test1.exampledomain.com
 certificate=@/etc/puppetlabs/puppet/ssl/ca/signed/test1.exampledomain.com.pem
vault kv put secret/test1.exampledomain.com
 mysql_root=TheVerySecureMySQLRootPassword123!
echo "path \"secret/test1.exampledomain.com\" {capabilities = [\"read\"]}" 
> test1.exampledomain.com.hcl
vault policy write test1.exampledomain.com test1.exampledomain.com.hcl
```

We can then see the above working on the client with this code -
```
$mysql_root = Deferred('vault_lookup::lookup', ["secret/
test1.exampledomain.com", 'https://puppet.exampledomain.com:8200'])
notify {mysql_root: message => $mysql_root}
```

What we can't figure out is how to reference the KV pair inside a Puppet 
manifest as a parameter. Eg, in YAML:
```
---
mysql::server::root_password: "%{something wonderful happens here}"
```

Any ideas?

On Tuesday, October 9, 2018 at 11:12:39 PM UTC+11, comport3 wrote:
>
> Mentioned in the Puppet 6 release notes are the ability for a client to 
> lookup secret data from Vault.
>
> Is there any more info on how to implement this?
>
> I have done extensive work on POC environments that use Vault as a top 
> level in Hierarchy and mark the secrets as 'sensitive' so they do not 
> appear in logs and reports, but do not want to continue deploying this 
> methodology if it's not the way the technology is headed.
>
> https://github.com/comport3/puppet5-hiera-vault-poc
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/070062ff-0956-47d6-9202-0cba97c67cfa%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Puppet 6 client lookup secret from Hashicorp Vault

[comport3]

We've made some more progress integrating Puppet 6+ Deferred lookups with 
Vault for secrets storage.

The basic principle we've used for the isolation is to upload and sync a 
Puppet TLS certificate per host, and lookup the relevant keys under there 
for the secret storage.

```
vault write secret/test1.exampledomain.com policies=test1.exampledomain.com 
certificate=@/etc/puppetlabs/puppet/ssl/ca/signed/test1.exampledomain.com.pem
vault kv put secret/test1.exampledomain.com 
mysql=TheVerySecureMySQLRootPassword123!
echo "path \"secret/test1.exampledomain.com\" {capabilities = [\"read\"]}" 
> test1.exampledomain.com.hcl
vault policy write test1.exampledomain.com test1.exampledomain.com.hcl
```

We can then see the above working on the client with this code -
```
$mysql_root = Deferred('vault_lookup::lookup', 
["secret/test1.exampledomain.com", 'https://puppet.exampledomain.com:8200'])
notify {mysql_root: message => $mysql_root}
```

What we can't figure out is how to reference the KV pair inside a Puppet 
manifest as a parameter. Eg, in YAML:
```
---
mysql::server::root_password: "%{something wonderful happens here}"
```

Any ideas?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/907b7092-1048-42ec-89c3-7c7448fdebf4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Puppet 6 client lookup secret from Hashicorp Vault

[comport3]

We now have Vault lookups working using the Deferred functionality that 
debuted in Puppet6x.

Here are my high level note on "how", hoping they help someone else in the 
future (lots of assumptions, but if you have questions please reach out...)

#export VAULT_SKIP_VERIFY=true
#mkdir /var/lib/vault
#chown puppet:puppet /var/lib/vault
#vault operator init -key-shares=1 -key-threshold=1
# (securely record keys and tokens)
#export VAULT_TOKEN=TheTokenFromAbove
#vault operator unseal
# (unseal key from above)
#vault auth enable cert
#vault write auth/cert/certs/puppetserver display_name=puppet 
policies=prod,test certificate=@/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem 
ttl=3600
#vault kv put secret/test hello=world
#echo "path \"secret/test\" {capabilities = [\"read\",\"list\"]}" > test.hcl
#vault policy write test test.hcl
#  (enable vault profile::vaulttest in Hiera & deploy, test Puppet and see 
the KV output)

Our next challenge is how to isolate clients to see ONLY their own secrets 
within Vault based on the incoming name and a policy to suit (or a similar 
workflow that results in client isolation).

If any Vault users has any advice it would be welcome.

On Monday, November 5, 2018 at 4:56:36 PM UTC+11, comport3 wrote:
>
> Hi Lindsay and Thomas,
>
> Thanks for your documentation - I'm having some problems getting the 
> client lookup to work.
>
> I have the Puppetserver CA setup in Vault, and the Vault servers Puppet 
> certificate and private key configured.
>
> I have added the Puppetserver CA to the trusted roots, per: 
> https://github.com/hashicorp/vault/issues/438
>
> I have configured Vault ('auth enable cert', 'vault write 
> auth/cert/certs/puppetserver...') successfully (or so it seems) and Vault 
> is unlocked.
>
> Now I can get a test lookup to work using this CURL command -
> curl -X GET -H "X-Vault-Token:$VAULT_TOKEN" 
> https://vault1.domain.com:8200/v1/secret/test
>
> But configuring via Puppet code, I get -
> Error: Failed to apply catalog: Received 403 response code from vault at 
> vault1.domain.com for secret lookup (api errors: ["1 error occurred:\n\t* 
> permission denied\n\n"])
>
> Any ideas what I'm missing?
>
> On Saturday, October 13, 2018 at 2:20:02 AM UTC+11, Lindsey Smith wrote:
>>
>>
>>
>> On Wed, Oct 10, 2018 at 5:28 AM Thomas Müller  
>> wrote:
>>
>>>
>>>
>>> Am Dienstag, 9. Oktober 2018 14:12:39 UTC+2 schrieb comport3:
>>>>
>>>> Mentioned in the Puppet 6 release notes are the ability for a client to 
>>>> lookup secret data from Vault.
>>>>
>>>> Is there any more info on how to implement this?
>>>>
>>>> I have done extensive work on POC environments that use Vault as a top 
>>>> level in Hierarchy and mark the secrets as 'sensitive' so they do not 
>>>> appear in logs and reports, but do not want to continue deploying this 
>>>> methodology if it's not the way the technology is headed.
>>>>
>>>> https://github.com/comport3/puppet5-hiera-vault-poc
>>>>
>>>
>>> from https://puppet.com/docs/puppet/6.0/using_a_deferred_function.html  
>>> :
>>>
>>> The Forge already hosts some community modules that provide integrations 
>>>> with secret store, like the following:
>>>>
>>>>- 
>>>>
>>>>Azure Key Vault: works on both the master and the server
>>>>- 
>>>>
>>>>Cyberark Conjur: works on the master 
>>>>- 
>>>>
>>>>Cyberark AIM: works on the agent 
>>>>- 
>>>>
>>>>Hashicorp Vault: works on the agent
>>>>- 
>>>>
>>>>AWS Secrets Manager: works on the agent
>>>>
>>>> but it does not directly link the modules.
>>>
>>
>> Apologies for not updating the docs in the last couple of days. The 
>> agent-side Vault integration lives here: 
>> https://github.com/voxpupuli/puppet-vault_lookup (coming soon to the 
>> Forge)
>>
>> See also the related blog post: 
>> https://puppet.com/blog/secret-agents-man-secrets-store-integrations-puppet-6
>>  
>>
>>> -- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "Puppet Users" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to puppet-users...@googlegroups.com.
>>> To view this discussion on the web visit 
>>> https://groups.google.com/d/msgid/puppet-users/c44e5f05-fefe-40d6-90d0-4471fb33a9a0%40googlegroups.com
>>>  
>>> <https://groups.google.com/d/msgid/puppet-users/c44e5f05-fefe-40d6-90d0-4471fb33a9a0%40googlegroups.com?utm_medium=email_source=footer>
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/0e3a4a35-aec0-4f30-959e-f8555f983a9a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: Puppet 6 client lookup secret from Hashicorp Vault

[comport3]

Hi Lindsay and Thomas,

Thanks for your documentation - I'm having some problems getting the client 
lookup to work.

I have the Puppetserver CA setup in Vault, and the Vault servers Puppet 
certificate and private key configured.

I have added the Puppetserver CA to the trusted roots, 
per: https://github.com/hashicorp/vault/issues/438

I have configured Vault ('auth enable cert', 'vault write 
auth/cert/certs/puppetserver...') successfully (or so it seems) and Vault 
is unlocked.

Now I can get a test lookup to work using this CURL command -
curl -X GET -H "X-Vault-Token:$VAULT_TOKEN" 
https://vault1.domain.com:8200/v1/secret/test

But configuring via Puppet code, I get -
Error: Failed to apply catalog: Received 403 response code from vault at 
vault1.domain.com for secret lookup (api errors: ["1 error occurred:\n\t* 
permission denied\n\n"])

Any ideas what I'm missing?

On Saturday, October 13, 2018 at 2:20:02 AM UTC+11, Lindsey Smith wrote:
>
>
>
> On Wed, Oct 10, 2018 at 5:28 AM Thomas Müller  > wrote:
>
>>
>>
>> Am Dienstag, 9. Oktober 2018 14:12:39 UTC+2 schrieb comport3:
>>>
>>> Mentioned in the Puppet 6 release notes are the ability for a client to 
>>> lookup secret data from Vault.
>>>
>>> Is there any more info on how to implement this?
>>>
>>> I have done extensive work on POC environments that use Vault as a top 
>>> level in Hierarchy and mark the secrets as 'sensitive' so they do not 
>>> appear in logs and reports, but do not want to continue deploying this 
>>> methodology if it's not the way the technology is headed.
>>>
>>> https://github.com/comport3/puppet5-hiera-vault-poc
>>>
>>
>> from https://puppet.com/docs/puppet/6.0/using_a_deferred_function.html  :
>>
>> The Forge already hosts some community modules that provide integrations 
>>> with secret store, like the following:
>>>
>>>- 
>>>
>>>Azure Key Vault: works on both the master and the server
>>>- 
>>>
>>>Cyberark Conjur: works on the master 
>>>- 
>>>
>>>Cyberark AIM: works on the agent 
>>>- 
>>>
>>>Hashicorp Vault: works on the agent
>>>- 
>>>
>>>AWS Secrets Manager: works on the agent
>>>
>>> but it does not directly link the modules.
>>
>
> Apologies for not updating the docs in the last couple of days. The 
> agent-side Vault integration lives here: 
> https://github.com/voxpupuli/puppet-vault_lookup (coming soon to the 
> Forge)
>
> See also the related blog post: 
> https://puppet.com/blog/secret-agents-man-secrets-store-integrations-puppet-6
>  
>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to puppet-users...@googlegroups.com .
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/puppet-users/c44e5f05-fefe-40d6-90d0-4471fb33a9a0%40googlegroups.com
>>  
>> <https://groups.google.com/d/msgid/puppet-users/c44e5f05-fefe-40d6-90d0-4471fb33a9a0%40googlegroups.com?utm_medium=email_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/4a4441b7-503b-49dd-a3e6-7b982f4fc3c4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Puppet 6 removed native Nagios provider

[comport3]

Hi All,

We are testing some Nagios stuff on Puppet 6 and it seems all the 
previously native functionality was completely removed.

Is it available to be re-added via a Module? If not, why was it removed - 
technical issues, etc??

Example to reproduce:

(on server to be monitored, exporting it's 'nagios_host' resource)
  @@nagios_host { $::fqdn :
tag=> "nagios-${lookup('nagios_server')}",
ensure => present,
address => $facts['networking.ip'],
use=> 'wan-host',
hostgroups => (lookup('nagios_hostgroups', {merge => deep})).join(','),
target => "/etc/nagios3/conf.d/puppet.d/host_${::fqdn}.cfg",
  }

(on monitoring server collecting this exported resource:

*Error: Could not retrieve catalog from remote server: Error 500 on SERVER: 
Server Error: Evaluation Error: Error while evaluating a Resource 
Statement, Unknown resource type: 'nagios_host'*

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/0f91c67f-36f7-4c3e-ab7c-d4a98d0be144%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Apache module + Ubuntu 18.04 + mpm prefork breaks PHP version

[comport3]

OK I have managed to debug this one.

It only seems to apply when using mpm_module: prefork with cgid and/or php

There is a fix to the Apache module as follows:
 Bump the $php_version in params.pp from 7.0 to 7.2 on line 268

Add this section beneath the preceding logic around line 85/86 in mpm.pp:
  if $mpm == 'prefork' and $::operatingsystem == 'Ubuntu' and 
$::operatingsystemrelease == '18.04' {
# workaround 
https://bugs.launchpad.net/ubuntu/+source/mpm-itk/+bug/1286882
# https://bugs.launchpad.net/ubuntu/+source/php7.2/+bug/1771934
# https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1782806
exec {
  '/usr/sbin/a2dismod mpm_event':
onlyif  => '/usr/bin/test -e 
/etc/apache2/mods-enabled/mpm_event.load',
require => Package['httpd'],
before  => Package['libapache2-mod-php7.2'],
}

Hopefully this helps someone in the future.

On Thursday, October 18, 2018 at 7:43:55 PM UTC+11, comport3 wrote:
>
> Hi All,
>
> When testing the latest version of ' puppetlabs-apache', in default mode 
> and settings on Ubuntu 18.04 it works fine.
>
> When changing the mpm + php + cgi it all ends in tears when the PHP 
> version mysteriously tries to go from 7.2 (available and default on OS) to 
> 7.0.
>
> Ala -
> ```
> class { 'apache':
>   mpm_module => 'prefork'
> }
> include ::apache::mod::cgi
> include ::apache::mod::php
> ```
>
> Any ideas how to override the 7.0 value and get 7.2?
>
> If not, how to submit a bug request for the module?
>
> Neither of these entries in Hiera did anything useful -
> apache::params::phpXXX: libapache2-mod-php7.2
> apache::params::php_version: 7.2
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/f3cffaf4-dd68-4c4b-ae87-9398ce0d3d19%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: Pass parameters to the 'postgresql' module when instantiated as a dependency of the 'puppetdb' module

[comport3]

Hi John,

Thank you for your response. I tried putting the parameters directly into 
Hiera as suggested and nothing happened.

I don't fully understand Part 2: "2. You need any applicable resource-like 
declaration of class postgresql::server in the manifest set to not itself 
bind a value to the config_hash parameter."

Can you help me understand better what to do here please?

Chadwick - also, thanks, will check that out too.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/d68afb5e-d8be-4198-9b58-397e0e0359a2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Apache module + Ubuntu 18.04 + mpm prefork breaks PHP version

[comport3]

Hi All,

When testing the latest version of ' puppetlabs-apache', in default mode 
and settings on Ubuntu 18.04 it works fine.

When changing the mpm + php + cgi it all ends in tears when the PHP version 
mysteriously tries to go from 7.2 (available and default on OS) to 7.0.

Ala -
```
class { 'apache':
  mpm_module => 'prefork'
}
include ::apache::mod::cgi
include ::apache::mod::php
```

Any ideas how to override the 7.0 value and get 7.2?

If not, how to submit a bug request for the module?

Neither of these entries in Hiera did anything useful -
apache::params::phpXXX: libapache2-mod-php7.2
apache::params::php_version: 7.2

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/31f03856-85ac-4007-a367-a9f2d54567e8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Pass parameters to the 'postgresql' module when instantiated as a dependency of the 'puppetdb' module

[comport3]

Hi All,

We are integrating a new PuppetDB role, and note that there are some key 
tuning parameters we'd like to modify to optimise the performance, such as 
'shared_buffers' and 'work_mem'. Normally the methods to do this would be a 
straight parameter lookup in Hiera, however these values are nested within 
a Hash. No problem I hear you say, just use 'create_resources'.. well 
that's what I'd normally do next, however trying to declare it in a 
'profile' class it complains of a 'duplicate class declaration'...

Steps to reproduce -
1. puppet module install puppetlabs-puppetdb
2. class profile::puppetdb {
 include profile::fw::puppetdb
 include ::puppetdb
 class { 'postgresql::server':
  config_hash => {
   'shared_buffers' => '512MB',
   'work_mem' => '16MB',
   }
  }
 }

Duplicate declaration, can't do..

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/ca4b8821-fb46-49f3-94dc-1c72121ed551%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Set default param value based on another param

[comport3]

Hi Eirik,

I think I understand what you want to do - set some sensible defaults, and just 
get the most specific or unique parameters from Hiera.

This article by RIP helped me a lot to understand how to do that: 
https://www.devco.net/archives/2015/12/16/iterating-in-puppet.php ' wildcard 
and defaults'.

I use this in a Profile class to do exactly what you want to do.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/7f440c3d-b42f-4b52-912d-ac30a3c3b8f5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Puppet 6 client lookup secret from Hashicorp Vault

[comport3]

Mentioned in the Puppet 6 release notes are the ability for a client to lookup 
secret data from Vault.

Is there any more info on how to implement this?

I have done extensive work on POC environments that use Vault as a top level in 
Hierarchy and mark the secrets as 'sensitive' so they do not appear in logs and 
reports, but do not want to continue deploying this methodology if it's not the 
way the technology is headed.

https://github.com/comport3/puppet5-hiera-vault-poc

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/f479a321-64e1-4494-bc3a-0db4f691364f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] puppetlabs-mysql: change the @HOST for the 'root'@'localhost'

[comport3]

Using the latest Puppet 5.5+ and puppetlabs/mysql module 5.4.0, is there a 
way to change the 'localhost' host portion of the root user?

Post deployment, I can use the following MySQL commands to change it, but 
it breaks the Puppet module:

UPDATE mysql.user SET Host='%' WHERE Host='localhost' AND 
User='root'; FLUSH PRIVILEGES;

However this breaks the Puppet run with the following output (with --debug 
arguments)
Debug: Prefetching mysql resources for mysql_user
Debug: Executing: '/usr/bin/mysql --defaults-extra-file=/root/.my.cnf -NBe 
SELECT CONCAT(User, '@',Host) AS User FROM mysql.user'
Debug: Executing: '/usr/bin/mysql --defaults-extra-file=/root/.my.cnf -NBe 
SELECT MAX_USER_CONNECTIONS, MAX_CONNECTIONS, MAX_QUESTIONS, MAX_UPDATES, 
SSL_TYPE, SSL_CIPHER, X509_ISSUER, X509_SUBJECT, AUTHENTICATION_STRING, 
PLUGIN FROM mysql.user WHERE CONCAT(user, '@', host) = 'root@%''
Debug: Executing: '/usr/bin/mysql --defaults-extra-file=/root/.my.cnf -NBe 
SELECT MAX_USER_CONNECTIONS, MAX_CONNECTIONS, MAX_QUESTIONS, MAX_UPDATES, 
SSL_TYPE, SSL_CIPHER, X509_ISSUER, X509_SUBJECT, AUTHENTICATION_STRING, 
PLUGIN FROM mysql.user WHERE CONCAT(user, '@', host) = 'backup@localhost''
Debug: Executing: '/usr/bin/mysql --defaults-extra-file=/root/.my.cnf -NBe 
SELECT MAX_USER_CONNECTIONS, MAX_CONNECTIONS, MAX_QUESTIONS, MAX_UPDATES, 
SSL_TYPE, SSL_CIPHER, X509_ISSUER, X509_SUBJECT, AUTHENTICATION_STRING, 
PLUGIN FROM mysql.user WHERE CONCAT(user, '@', host) = 
'mysql.session@localhost''
Debug: Executing: '/usr/bin/mysql --defaults-extra-file=/root/.my.cnf -NBe 
SELECT MAX_USER_CONNECTIONS, MAX_CONNECTIONS, MAX_QUESTIONS, MAX_UPDATES, 
SSL_TYPE, SSL_CIPHER, X509_ISSUER, X509_SUBJECT, AUTHENTICATION_STRING, 
PLUGIN FROM mysql.user WHERE CONCAT(user, '@', host) = 
'mysql.sys@localhost''
Debug: Executing: '/usr/bin/mysql --defaults-extra-file=/root/.my.cnf 
--database=mysql -e CREATE USER 'root'@'localhost' IDENTIFIED BY PASSWORD 
'*93F220D3C07B130C09DBA0C962F71213F3D0B8D6''
Error: Execution of '/usr/bin/mysql --defaults-extra-file=/root/.my.cnf 
--database=mysql -e CREATE USER 'root'@'localhost' IDENTIFIED BY PASSWORD 
'*93F220D3C07B130C09DBA0C962F71213F3D0B8D6'' returned 1: ERROR 1396 (HY000) 
at line 1: Operation CREATE USER failed for 'root'@'localhost'
Error: 
/Stage[main]/Mysql::Server::Root_password/Mysql_user[root@localhost]/ensure: 
change from 'absent' to 'present' failed: Execution of '/usr/bin/mysql 
--defaults-extra-file=/root/.my.cnf --database=mysql -e CREATE USER 
'root'@'localhost' IDENTIFIED BY PASSWORD 
'*93F220D2C07B130C09DBA0C962F61213F3D1B8F6'' returned 1: ERROR 1396 (HY000) 
at line 1: Operation CREATE USER failed for 'root'@'localhost'
Notice: /Stage[main]/Mysql::Server::Root_password/File[/root/.my.cnf]: 
Dependency Mysql_user[root@localhost] has failures: true
Warning: /Stage[main]/Mysql::Server::Root_password/File[/root/.my.cnf]: 
Skipping because of failed dependencies


The following is the Hiera listen directive that necessitates the above 
(and, I'm aware this is NOT best practise, but I have a Dev server with 
nothing sensitive on it, 250+ databases to migrate and nearly that many 
ancient decrepit web apps connecting to it as root...)
mysql_server_override_options:
  mysqld:
'bind-address': '10.0.0.5'


Does anyone know how to change the root users 'host' without breaking the 
module?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/1040f9aa-c3f0-463f-ace9-8baa15ba92cb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.