Re: [Puppet Users] Easiest way to create named pipes?
On 09/15/2010 10:11 PM, Dan Urist wrote: Can the puppet file type create named pipes (fifo's)? This doesn't seem to be an option for the ensure parameter, but there's also a type parameter, though the docs describe it as A read-only state to check the file type; not sure what that's for? Or do I need to use mkfifo in an exec? Pretty sure you need to mkfifo in an exec. -- Daniel Maher dma AT witbe DOT net The Internet is completely over. -- Prince -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Dashboard database optimization
Hi there, We've got a puppet (0.24.8) instance with something like a hundred nodes on it. The puppetmaster is running under passenger, we've got both stored configs and dashboard reports going to a MySQL database on the same host. The dashboard itself is now in production use as our external node configuration and reporting tool. Oh yes, we're definitely living the dream. Our problem is that the dashboard is just getting slower and slower as time goes by, and the database is becoming swamped. It's a concern now that it has become such a key tool. Can anyone enlighten me as to whether there is any housekeeping that can be done to the dashboard database, in order to make the application any faster? Are old reports purged at any time, or will they hang about for ever? Our dashboard_production.reports table now contains ~380,000 entries and consumes 814MB of disk space. Would it help to prune these to a certain time-period? Might there be any indexes missing from my database? I think I installed the dashboard at version 1.0, but ran the database upgrade script between 1.0.1 and 1.0.3. I'm doing incremental MySQL tuning anyway, but I'd like to know if anyone else has any suggestions or similar experiences. Thanks. -- Ben Tullis -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Glassfish asadmin provider
On Wed, 15 Sep 2010, Nigel Kersten wrote:
Does 'type --all asdf' do the right thing on SunOS ?
According to IEEE Std 1003.1, 2004 Edition, type does not take
any options. Anyway, on Solaris-5.8:
for shell in /bin/sh /usr/xpg4/bin/sh /bin/ksh /usr/local/bin/bash ;
do echo [$shell]; ${shell} -c 'type --all asdf; echo status=$?' ;
done
[/bin/sh]
--all not found
asdf not found
status=1
[/usr/xpg4/bin/sh]
asdf not found
status=127
[/bin/ksh]
asdf not found
status=127
[/usr/local/bin/bash]
/usr/local/bin/bash: line 0: type: asdf: not found
status=1
On NetBSD-5.99.27:
for shell in /bin/sh /bin/ksh /usr/pkg/bin/bash ;
do echo [$shell]; ${shell} -c 'type --all asdf; echo status=$?' ;
done
[/bin/sh]
type: Illegal option --
status=2
[/bin/ksh]
/bin/ksh: whence: --: unknown option
status=1
[/usr/pkg/bin/bash]
/usr/pkg/bin/bash: line 0: type: asdf: not found
status=1
I have seen systems where type prints a message about command not
found (or words to that effect) but sets exit status 0 as if it had
been successful. I have found that command -v does the right thing
on the same system. Unfortunately, my notes from the time I noticed
this don't say which system had the problem, but I think it was AIX or
Cygwin.
Compare the POSIX description of the
exit status for type and command at
http://www.opengroup.org/onlinepubs/009695399/utilities/type.html and
http://www.opengroup.org/onlinepubs/009695399/utilities/command.html:
For type exit status 0 means an error occurred, while for command
exit status 0 means the command_name could not be found or an error
occurred.
What I take from the POSIX spec is that one could argue either way about
whether or not it's an error for the type command to report that a
target command does not exist; but for the command -v command it's
clear that nonexistence of the target command should result in non-zero
exit status.
--apb (Alan Barrett)
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Dashboard database optimization
On 16.09.2010, at 11:31, Ben Tullis wrote: Are old reports purged at any time, or will they hang about for ever? Our dashboard_production.reports table now contains ~380,000 entries and consumes 814MB of disk space. Would it help to prune these to a certain time-period? Rails logs are not rotated by default. The rails world would use a capistrano task: http://blog.daeltar.org/logrotate-with-capistrano-generated-configura This is creating a logrotate file - which can be done with puppet too. Might there be any indexes missing from my database? I think I installed the dashboard at version 1.0, but ran the database upgrade script between 1.0.1 and 1.0.3. Rack::Bug is a tool you can use to get an idea about missing indexes: http://github.com/brynary/rack-bug -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Dashboard database optimization
Thanks for the response, but I think you've misunderstood the first bit. Rails logs are not rotated by default. The rails world would use a capistrano task: http://blog.daeltar.org/logrotate-with-capistrano-generated-configura This is creating a logrotate file - which can be done with puppet too. It's not a log file that is causing the problem, it's the sheer size of the database reports table. I have already put logrotate files in place for the rails log files, and they're fine. Might there be any indexes missing from my database? I think I installed the dashboard at version 1.0, but ran the database upgrade script between 1.0.1 and 1.0.3. Rack::Bug is a tool you can use to get an idea about missing indexes: http://github.com/brynary/rack-bug That's an interesting technique, but I'd rather not get into modifying the application itself to put diagnostics in-line, especially as it's in production. For reference, the indexes that I have on the reports table are these: mysql show indexes in reports; +-++--+-- +-+---+-+--++-- ++-+ | Table | Non_unique | Key_name | Seq_in_index | Column_name | Collation | Cardinality | Sub_part | Packed | Null | Index_type | Comment | +-++--+-- +-+---+-+--++-- ++-+ | reports | 0 | PRIMARY |1 | id | A | 380511 | NULL | NULL | | BTREE | | | reports | 1 | index_reports_on_node_id |1 | node_id | A | 229 | NULL | NULL | YES | BTREE | | | reports | 1 | index_reports_on_time|1 | time| A | 380511 | NULL | NULL | YES | BTREE | | +-++--+-- +-+---+-+--++-- ++-+ 3 rows in set (0.06 sec) I've got mysql logging queries that can't use an index, so I'll analyse that to see if anything jumps out at me. This table currently has 800MB of data and uses 14MB for the indexes. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Dashboard database optimization
On Sep 16, 2010, at 5:31 AM, Ben Tullis wrote:
Our problem is that the dashboard is just getting slower and slower as
time goes by, and the database is becoming swamped. It's a concern now
that it has become such a key tool.
Can anyone enlighten me as to whether there is any housekeeping that can
be done to the dashboard database, in order to make the application any
faster?
We had the same issues. I have this in `/etc/cron.daily` which blows away all
but the last 14 days of activity for Dashboard.
#!/bin/sh
# filesystem
/usr/bin/find /var/lib/puppet/reports/ -type f -mtime +60 -exec rm {} \;
# these directories should be empty after the previous command
/usr/bin/find /var/lib/puppet/reports/ -maxdepth 1 -mtime +60 -type d -exec
rmdir {} \;
# dashboard database
/usr/bin/rake -f /opt/puppet-dashboard/Rakefile RAILS_ENV=production
reports:prune upto=14 unit=day
I would start higher and crank it down until you get acceptable performance.
I'd like to have more than 14 days honestly, but it was just too slow
otherwise. (You'll note that I keep 60 days worth of YAML reports, so I could
always import those if I really needed the data in the Dashboard.)
--
Rob McBroom
http://www.skurfer.com/
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Dashboard database optimization
On Sep 16, 12:38 pm, Ben Tullis b...@tiger-computing.co.uk wrote: Thanks for the response, but I think you've misunderstood the first bit. Rails logs are not rotated by default. The rails world would use a capistrano task: http://blog.daeltar.org/logrotate-with-capistrano-generated-configura This is creating a logrotate file - which can be done with puppet too. It's not a log file that is causing the problem, it's the sheer size of the database reports table. I have already put logrotate files in place for the rails log files, and they're fine. Might there be any indexes missing from my database? I think I installed the dashboard at version 1.0, but ran the database upgrade script between 1.0.1 and 1.0.3. Rack::Bug is a tool you can use to get an idea about missing indexes: http://github.com/brynary/rack-bug That's an interesting technique, but I'd rather not get into modifying the application itself to put diagnostics in-line, especially as it's in production. For reference, the indexes that I have on the reports table are these: mysql show indexes in reports; +-++--+-- +-+---+-+--++-- ++-+ | Table | Non_unique | Key_name | Seq_in_index | Column_name | Collation | Cardinality | Sub_part | Packed | Null | Index_type | Comment | +-++--+-- +-+---+-+--++-- ++-+ | reports | 0 | PRIMARY | 1 | id | A | 380511 | NULL | NULL | | BTREE | | | reports | 1 | index_reports_on_node_id | 1 | node_id | A | 229 | NULL | NULL | YES | BTREE | | | reports | 1 | index_reports_on_time | 1 | time | A | 380511 | NULL | NULL | YES | BTREE | | +-++--+-- +-+---+-+--++-- ++-+ 3 rows in set (0.06 sec) I've got mysql logging queries that can't use an index, so I'll analyse that to see if anything jumps out at me. This table currently has 800MB of data and uses 14MB for the indexes. Consider yourself lucky, mine takes up over 2GB. To save on space, if you are using MySQL 5.1 you might consider using the InnoDB plugin and Barracuda compressed row format. As the reports are the big space hog and are mostly text, they compress well. There are some details regarding database performance on the following ticket: http://projects.puppetlabs.com/issues/4357 In particular, upgrading to 1.0.4 (which I see has just made RC1) should help front-page performance. My latest update on the above issue also includes how to add another index to the reports table which speeds up front-page performance yet again. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Dashboard database optimization
Hi Oliver and Rob, I think I'll be implementing all of those suggestions in the near future then. Many thanks to you both. We're only on MySQL 5.0 for now, so no compressed rows, but that's a very interesting technique. I'll keep my ear to the ground for 1.0.4 as well. Ben -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Length of the name of a define
Hello,
I do not not whatever this is a bug or somewhere in the docs (could not find
it)
if I define is named:
define add_file_exec_bin
I get the error
err: Could not retrieve catalog from remote server: Error 400 on SERVER:
Puppet::Parser::AST::Resource failed with error ArgumentError: Invalid
resource type add_file_exec_bin at
/var/lib/puppet/fly/modules/fly-mongo/manifests/server.pp:12
if I define is named:
define add_file_ebin
it work just fine... bug or as design? the function is not part of any
class, is just something I import like
class mongo::server inherits mongo::base {
...
}
class mongo::base (
import functions.pp
}
would it better and advisable to put those in a class and then do an
'include' and rename them as
class_name::define_name () { }
and is there any restriction on the define name?
thanks
--
-ls
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Glassfish asadmin provider
Hi, Thanks for all suggestions! I finally went for Nan Liu's solution by checking the $PATH environment variable for an executable. The resulting commit is here: http://github.com/larstobi/puppet-glassfish/commit/047f82 diff --git a/lib/puppet/provider/glassfish/asadmin.rb b/lib/puppet/provider/glassfish/asadmin.rb index d2009a7..56abe71 100644 --- a/lib/puppet/provider/glassfish/asadmin.rb +++ b/lib/puppet/provider/glassfish/asadmin.rb @@ -1,7 +1,17 @@ Puppet::Type.type(:glassfish).provide(:asadmin) do desc Glassfish support. - commands :asadmin = /opt/NSBglassfish/bin/asadmin + def self.find_asadmin(path = ENV['PATH']) +path.split(:).each do |directory| + executable = directory + /asadmin + if File.executable? executable +debug executable +return executable + end +end +return + end + commands :asadmin = find_asadmin def create args = [] -- Regards, Lars Tobias -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Installing 32bit rpms (using up2date on RHEL4) on a 64bit OS?
How do you do it with puppet? I'm attempting to automate the install of an Oracle RAC and the installer requires a whole raft of 32bit rpms even on a 64bit OS. Easy enough via: up2date --arch i386 xorg-x11-deprecated-libs But I can't find any option to pass the --arch option to the up2date puppet package provider? There have been previous posts on this topic and people seem to use a kludgy 'exec' to get around this. I want dependency resolution so 'exec' is not a good option. Regards, Geoff Linuxsolve Ltd. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] 'sslv3 alert handshake failure' when using puppet load-balanced through Apache
I've setup a puppet load-balanced solution based on these instructions: http://projects.puppetlabs.com/projects/puppet/wiki/Puppet_Scalability I have 4 puppetmaster instances running on my puppet server and an Apache instance running on that server listening on port 8140 and round-robining the requests from puppet clients. This works fine for all my existing client machines. The problem is that when adding a new machine I get errors like this: puppetd --test -v --server puppet --waitforcert 60 warning: peer certificate won't be verified in this SSL session err: Could not request certificate: sslv3 alert handshake failure -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Length of the name of a define
Luc Suryo wrote: and is there any restriction on the define name? There shouldn't be - what version is this? Regards James Turnbull -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Length of the name of a define
the latest version 2.6.1 On Thu, Sep 16, 2010 at 9:50 AM, James Turnbull ja...@puppetlabs.comwrote: Luc Suryo wrote: and is there any restriction on the define name? There shouldn't be - what version is this? Regards James Turnbull -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.compuppet-users%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- -ls -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Length of the name of a define
Luc Suryo wrote: the latest version 2.6.1 Then it's definitely a bug and can you please log it? PLease include your manifests and as much detail in the log output. Thanks James Turnbull -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Length of the name of a define
will do can it a be a tar file ? (gz?) Thanks! On Thu, Sep 16, 2010 at 9:55 AM, James Turnbull ja...@puppetlabs.comwrote: Luc Suryo wrote: the latest version 2.6.1 Then it's definitely a bug and can you please log it? PLease include your manifests and as much detail in the log output. Thanks James Turnbull -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.compuppet-users%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- -ls -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Tagging / Exported Resources
does this feature work flawlessly for everyone except me?
On Sep 15, 5:00 pm, CraftyTech hmmed...@gmail.com wrote:
Ok, so far I've stripped down all the extra tools to make sure I can
identify the issue with filtering the collection of exported hosts.
Basically I took foreman out of the equation for the time being, so
that I can concentrate of the bare minimum to get this feature
rolling.
Here's the node:
node server1 {
$group = [test] --- Also tried without brackets, and tried
without quotations
include basics1
}
Here's the class:
class basics1{
require host_collect
notice(The Value is ${group})
class host_export { notice(The Value is ${group}) @@host{ $fqdn:
ip = $ipaddress,
host_aliases = $hostname,
tag = $group
}}
class host_collect { require host_export notice(The Value is $
{group}) Host | tags == $group | }
Here's the result from the server side (debug mode):
debug: Using cached facts for server1.dev.domain.com
info: Caching node for server1.dev.domain.com
debug: importing '/etc/puppet/manifests/classes/dev_sys.pp'
debug: importing '/etc/puppet/manifests/classes/test_class.pp'
debug: importing '/etc/puppet/manifests/nodes/dev_nodes.pp'
notice: Scope(Class[basics1::host_export]): The Value is test
-
notice: Scope(Class[basics1::host_collect]): The Value is test
-
notice: Scope(Class[basics1]): The Value is test
debug: Scope(Class[basics1::host_collect]): Collected 0 Host
resources ===
in 0.00 seconds
notice: Compiled catalog for server1.dev.domain.com in 0.17 seconds
info: Caching catalog for server1.dev.domain.com
debug: Searched for resources in 0.01 seconds
debug: Searched for resource params and tags in 0.00 seconds
debug: Resource removal in 0.20 seconds
debug: Resource merger in 0.06 seconds
debug: Added resources(tags) in 0.08 seconds
debug: Added resources(initialization) in 0.02 seconds
debug: Added resources(parameters) in 0.02 seconds
debug: Resource addition in 0.12 seconds
debug: Performed resource comparison in 0.39 seconds
debug: Using cached node for server1.dev.domain.com
debug: Saved catalog to database in 0.41 seconds
info: Applying configuration version '1284564089'
Still... is not collecting the hosts even thought the $var values
are correct/exported I also tried using another Variable name, in
case group is a reserved word.
Any ideas, comments, suggestions?
Thanks in advance,
On Sep 15, 11:25 am, CraftyTech hmmed...@gmail.com wrote:
Ok, I figured out how to put in Notice Statements : )
I took foreman out of the equation for testing purposes, and I'm now
using standard puppet node definitions.
Here's the node:
node server1 {
$group = [test]
include basics1
}
Here's the class:
class basics1{
require host_collect
notice(The Value is ${group})
class host_export { notice(The Value is ${group}) @@host{ $fqdn:
ip = $ipaddress,
host_aliases = $hostname,
tag = $group
}}
class host_collect { require host_export notice(The Value is $
{group}) Host | tags == $group | }
Here's the result from the server side (debug mode):
debug: Using cached facts for server1.dev.domain.com
info: Caching node for server1.dev.domain.com
debug: importing '/etc/puppet/manifests/classes/dev_sys.pp'
debug: importing '/etc/puppet/manifests/classes/test_class.pp'
debug: importing '/etc/puppet/manifests/nodes/dev_nodes.pp'
notice: Scope(Class[basics1::host_export]): The Value is test
notice: Scope(Class[basics1::host_collect]): The Value is test
notice: Scope(Class[basics1]): The Value is test
debug: Scope(Class[basics1::host_collect]): Collected 0 Host resources
in 0.00 seconds
notice: Compiled catalog for server1.dev.domain.com in 0.17 seconds
info: Caching catalog for server1.dev.domain.com
debug: Searched for resources in 0.01 seconds
debug: Searched for resource params and tags in 0.00 seconds
debug: Resource removal in 0.20 seconds
debug: Resource merger in 0.06 seconds
debug: Added resources(tags) in 0.08 seconds
debug: Added resources(initialization) in 0.02 seconds
debug: Added resources(parameters) in 0.02 seconds
debug: Resource addition in 0.12 seconds
debug: Performed resource comparison in 0.39 seconds
debug: Using cached node for server1.dev.domain.com
debug: Saved catalog to database in 0.41 seconds
info: Applying configuration version '1284564089'
Still... is not collecting the hosts even thought the $var values
correct/exported Any ideas?
Thanks,
On Sep 15, 9:37 am, CraftyTech hmmed...@gmail.com wrote:
Pardon my ignorance, but how do I do a notice statement? I checked
the puppet database and the value is there:
mysql
Re: [Puppet Users] Installing 32bit rpms (using up2date on RHEL4) on a 64bit OS?
I've not actually tried but I would think you should be able to do
something like:
package {
foo.i386: { ensure = latest ; }
}
I know yum understands the syntax of: yum install foo.i386 (or foo.x86_64).
Cheers,
Ryan
On 9/16/2010 6:05 AM, Geoff wrote:
How do you do it with puppet?
I'm attempting to automate the install of an Oracle RAC and the
installer requires a whole raft of 32bit rpms even on a 64bit OS.
Easy enough via: up2date --arch i386 xorg-x11-deprecated-libs
But I can't find any option to pass the --arch option to the up2date
puppet package provider?
There have been previous posts on this topic and people seem to use a
kludgy 'exec' to get around this.
I want dependency resolution so 'exec' is not a good option.
Regards,
Geoff
Linuxsolve Ltd.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Chained puppet servers
I think this should work - but I don't want to break production - so.. There are several firewalls involved, but I can open 8140 as needed. So if I have a master server in one subnet and a client/master in another net - here is what I am thinking. The first master is well protected, call it A and the 2nd is B which has both the client and Master server on it. I want the B client to point to A-master and be able to get updated files. But as those files are updated on B, the B-Master will service those same groups of files/configs, etc, out to a whole other group of clients.. Any issues or problems with this that anyone can think of? The reason for this is simple - the B Master is the only one who has access to a whole bunch of clients on the other side, but A has to get files from it's protected subnets and push them out to B.. Ok, my head hurts now.. ~J~ -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] cucumber-puppet and environments
On Wed, Sep 15, 2010 at 09:31:19PM +0200, Alan Barrett wrote: I use an external node classifier purely for the purpose of setting the environment (and a parameter called $error_message or something, but not any classes). There are minor problems when the master and client disagree, but so far the problems have not been enough to prevent installing a puppet.conf from a template, to make the client specify the correct environment on the next run. You're still trusting the client. It's the wrong approach (I'm not criticising you personally, Puppet doesn't leave you much choice if you want to use environments), it's vulnerable to error, fragile and potentially insecure. -- Bruce I unfortunately do not know how to turn cheese into gold. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Installing 32bit rpms (using up2date on RHEL4) on a 64bit OS?
On Thu, 16 Sep 2010 10:24:38 -0700, Ryan Dooley ryan.doo...@gmail.com
wrote:
I've not actually tried but I would think you should be able to do
something like:
package {
foo.i386: { ensure = latest ; }
}
I know yum understands the syntax of: yum install foo.i386 (or
foo.x86_64).
Cheers,
Ryan
The problem is, up2date doesn't understand the package.arch syntax, only
yum does. There is a bug filed on this, and I've submitted a patch to make
the up2date provider recognize the package.arch naming, and to split it off
so it will do up2date --arch instead - just waiting for it to be accepted
(which I don't think has happened yet) and applied to the next version
release.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] cucumber-puppet and environments
On Thu, Sep 16, 2010 at 1:15 AM, Bruce Richardson itsbr...@workshy.org wrote: On Wed, Sep 15, 2010 at 09:31:19PM +0200, Alan Barrett wrote: I use an external node classifier purely for the purpose of setting the environment (and a parameter called $error_message or something, but not any classes). There are minor problems when the master and client disagree, but so far the problems have not been enough to prevent installing a puppet.conf from a template, to make the client specify the correct environment on the next run. You're still trusting the client. It's the wrong approach (I'm not criticising you personally, Puppet doesn't leave you much choice if you want to use environments), it's vulnerable to error, fragile and potentially insecure. The client is the only component that can be authoritative over the environment unfortunately. However we set it via a fact, and that hasn't been fragile for us. YMMV. -- Bruce I unfortunately do not know how to turn cheese into gold. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- nigel -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] puppet 2.6.x with rrdtool
Hi, Since upgrading to 2.6.1 (previously on 0.25.x) our puppet master has been pretty constantly reporting this, puppet-master[26174]: Report rrdgraph failed: Failed to update time: unknown DS name '' In puppet.conf we just have, [master] ... reports = store,log,rrdgraph This was not throwing the error before on 0.25.x puppet master and it does seem like some (maybe all?) of the rrd graphs are getting updated. Wondering if anyone had any thoughts. Thanks, derek Derek Yarnell UNIX Systems Administrator University of Maryland Institute for Advanced Computer Studies -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet 2.6.x with rrdtool
- Derek Yarnell de...@umiacs.umd.edu wrote: Hi, Since upgrading to 2.6.1 (previously on 0.25.x) our puppet master has been pretty constantly reporting this, puppet-master[26174]: Report rrdgraph failed: Failed to update time: unknown DS name '' I had the same, didnt have time to investigate but can confirm the issue -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] vcsrepo type
Hi,
I've been playing with the vcsrepo type and for the most part it works
pretty well, with the exception of ensure = latest/present with svn...
when I ensure = present, it does what I expect, creates the working
directory at whatever version the repo is currently at, and leaves it alone
thereafter. However, when I use ensure = latest unless the working
directory exists as a SVN repo, it fails. Shouldn't ensure = latest imply
ensure = present ? I started down the road of writing something to
ensure a created working directory, and thought I'd bounce it off the list
to see if anyone else had any experience with vcsrepo, since it's entirely
possible that I've missed something blindly obvious.
vcsrepo { /path/on/disk:
ensure = latest,
provider = svn,
source = 'https://server.example.com/repo/trunk/apps/foo',
}
Thanks! And thanks to whomever wrote this type, it's going to be super
useful!!
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Wrong version in SPEC file
On Jul 30, 5:56 pm, Todd Zullinger t...@pobox.com wrote: Douglas Garstang wrote: The spec file for for (whatever version this actually is), doesn't cleanly build an RPM either. SNIP rpmbuild --rebuild --define 'dist .el5' --define 'rhel 5' \ --define 'el5 1' /path/to/puppet*.src.rpm You can pass some options to disable augeas and selinux if you like as well. SNIP Sorry to interject, but how would I pass options to disable augeas? So far, the only way I see is to prep and make the changes directly in the spec file. Is there a way to do so on the rpmbuild command line? Thanks! Michael -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: Wrong version in SPEC file
- micha...@tnrglobal.com mich...@mapu.com wrote: On Jul 30, 5:56 pm, Todd Zullinger t...@pobox.com wrote: Douglas Garstang wrote: The spec file for for (whatever version this actually is), doesn't cleanly build an RPM either. SNIP rpmbuild --rebuild --define 'dist .el5' --define 'rhel 5' \ --define 'el5 1' /path/to/puppet*.src.rpm You can pass some options to disable augeas and selinux if you like as well. SNIP Sorry to interject, but how would I pass options to disable augeas? So far, the only way I see is to prep and make the changes directly in the spec file. Is there a way to do so on the rpmbuild command line? rpmbuild -ba -D 'dist .el5' -D 'rhel 5' -D '_without_augeas 1' puppet.spec -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Installing 32bit rpms (using up2date on RHEL4) on a 64bit OS?
Hi Geoff, On 16/09/10 11:05 PM, Geoff wrote: I'm attempting to automate the install of an Oracle RAC and the installer requires a whole raft of 32bit rpms even on a 64bit OS. Why not use the oracle-validated[1] metapackage to pull in all the requirements? It's much simpler. Cheers, Avi [1] http://oss.oracle.com/el5/oracle-validated/ -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: Wrong version in SPEC file
On Sep 16, 4:23 pm, R.I.Pienaar r...@devco.net wrote: - micha...@tnrglobal.com mich...@mapu.com wrote: On Jul 30, 5:56 pm, Todd Zullinger t...@pobox.com wrote: Douglas Garstang wrote: The spec file for for (whatever version this actually is), doesn't cleanly build an RPM either. SNIP rpmbuild --rebuild --define 'dist .el5' --define 'rhel 5' \ --define 'el5 1' /path/to/puppet*.src.rpm You can pass some options to disable augeas and selinux if you like as well. SNIP Sorry to interject, but how would I pass options to disable augeas? So far, the only way I see is to prep and make the changes directly in the spec file. Is there a way to do so on the rpmbuild command line? rpmbuild -ba -D 'dist .el5' -D 'rhel 5' -D '_without_augeas 1' puppet.spec Great- that works. I also just tried: rpmbuild --without augeas --without selinux --rebuild puppet-2.6.1-0.5.el5.src.rpm and that worked as well. Thanks for the quick response! MK -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: [Puppet-dev] GitHub Account move - the Great Migration continues...
James Turnbull wrote: For example the Puppet respository that would have been cloned like: $ git clone git://github.com/reductivelabs/puppet.git Should now be cloned like: $ git clone git://github.com/puppetlabs/puppet.git I know this came up in IRC the other day, so for anyone with a current clone that wants to ensure it is pulling from the properl location, there are numerous ways to do so. If you have git = 1.7.0, you can use: $ git remote set-url origin git://github.com/puppetlabs/puppet.git Otherwise, you can use git config: $ git config remote.origin.url git://github.com/puppetlabs/puppet.git Or, you can just edit .git/config directly and set the url parameter appropriately. (If you go this route, you've likely been using git since long before it had convenient commands to manage settings. That, or you're just hard-core about the *nix way. :) Hope this helps, -- ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~ Einstein argued that there must be simplified explanations of nature, because God is not capricious or arbitrary. No such faith comforts the software engineer. -- Fred Brooks pgpyYgV6ya9S7.pgp Description: PGP signature
[Puppet Users] Upgrade puppet from 2.5 to 2.6.1, module error
Upon upgrading from 2.5 to 2.6.1, I am no seeing the following error, and not sure how to track the problem down: No source module metadata provided for apache at /etc/puppet/ manifests/templates.pp:5 on node puppet-test.example.com. Previously, this worked. I'll be happy to provide any additional info needed. Thanks in advance. Michael -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Can the require value be a function?
Hello
I have this
fly::create_dir { /usr/share/mysql-zrm/pkgs : mode = 0755, owner = bin,
group = bin }
== creates the directory and parents .. it just does a mkdir -p with couple
test
so I have
file { $client_package_file :
path =
/usr/share/mysql-zrm/pkgs/$client_package_file,
source =
puppet:///fly-zrm/pkgs/$client_package_file,
mode = 0444, owner = bin, group = bin,
links = follow,
notify = Exec[
install-$client_package_name ],
require = fly::create_dir[
/usr/share/mysql-zrm ]
}
So i need to make sure create_dir is executed before the 'file' being copied
over
but it fails with
err: Could not retrieve catalog from remote server: Error 400 on SERVER:
Syntax error at 'fly::create_dir'; expected '}' at
/var/lib/puppet/fly/modules/fly-zrm/manifests/client.pp:26 on node db10
can someone help me? .. i do not know if this is even possible and I could
different solution
i tried to capitalized the FLY. Fly, Create combination ..
thanks
--
-ls
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Can the require value be a function?
On Thu, Sep 16, 2010 at 3:36 PM, Luc Suryo lsu...@gmail.com wrote:
fly::create_dir { /usr/share/mysql-zrm/pkgs : mode = 0755, owner = bin,
group = bin }
file { $client_package_file :
path =
/usr/share/mysql-zrm/pkgs/$client_package_file,
source =
puppet:///fly-zrm/pkgs/$client_package_file,
mode = 0444, owner = bin, group = bin,
links = follow,
notify = Exec[
install-$client_package_name ],
require = fly::create_dir[
/usr/share/mysql-zrm ]
}
So i need to make sure create_dir is executed before the 'file' being copied
over
Sidestepping mkdir -p, you need to capitalize the first char,
otherwise Puppet thinks you are declaring a new resource. Change
require line to the following:
require=Fly::Create_dir[ /usr/share/mysql-zrm/pkgs ],
Thanks,
Nan
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Can the require value be a function?
Thanks! Works
--
Kind regards
Luc Suryo
- Remember No one travels faster than the speed of live
On Sep 16, 2010, at 16:30, Nan Liu n...@puppetlabs.com wrote:
On Thu, Sep 16, 2010 at 3:36 PM, Luc Suryo lsu...@gmail.com wrote:
fly::create_dir { /usr/share/mysql-zrm/pkgs : mode = 0755, owner = bin,
group = bin }
file { $client_package_file :
path =
/usr/share/mysql-zrm/pkgs/$client_package_file,
source =
puppet:///fly-zrm/pkgs/$client_package_file,
mode = 0444, owner = bin, group = bin,
links = follow,
notify = Exec[
install-$client_package_name ],
require = fly::create_dir[
/usr/share/mysql-zrm ]
}
So i need to make sure create_dir is executed before the 'file' being copied
over
Sidestepping mkdir -p, you need to capitalize the first char,
otherwise Puppet thinks you are declaring a new resource. Change
require line to the following:
require=Fly::Create_dir[ /usr/share/mysql-zrm/pkgs ],
Thanks,
Nan
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] vcsrepo type
Alaric,
I've just made a fix to the svn provider (and a related tidy up to the
vcsrepo type)
That change is available at: http://github.com/mikeknox/puppet-vcsrepo
Cheers
On 17/09/10 5:44 AM, Alaric wrote:
Hi,
I've been playing with the vcsrepo type and for the most part it works
pretty well, with the exception of ensure = latest/present with
svn... when I ensure = present, it does what I expect, creates the
working directory at whatever version the repo is currently at, and
leaves it alone thereafter. However, when I use ensure = latest
unless the working directory exists as a SVN repo, it fails. Shouldn't
ensure = latest imply ensure = present ? I started down the
road of writing something to ensure a created working directory, and
thought I'd bounce it off the list to see if anyone else had any
experience with vcsrepo, since it's entirely possible that I've missed
something blindly obvious.
vcsrepo { /path/on/disk:
ensure = latest,
provider = svn,
source = 'https://server.example.com/repo/trunk/apps/foo',
}
Thanks! And thanks to whomever wrote this type, it's going to be super
useful!!
--
You received this message because you are subscribed to the Google
Groups Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups Puppet
Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] 'sslv3 alert handshake failure' when using puppet load-balanced through Apache
I've found that there are three major pieces that can be going wrong in this case: 1) Getting the ca.pem file to the client. 2) Getting the Certificate sign request to the server. 3) Getting the signed certificate to the client. Test them like this: To test 1) Grab /var/lib/puppet/ssl/ca.pem from a working client and put it on the client that doesn't work. To test 2) Check if you see the client's name when you run puppetca --list --all on the server. If not, try using sudo puppetca --generate hostname.domainname on the server. On Sep 16, 2010, at 7:12 AM, Tim wrote: I've setup a puppet load-balanced solution based on these instructions: http://projects.puppetlabs.com/projects/puppet/wiki/Puppet_Scalability I have 4 puppetmaster instances running on my puppet server and an Apache instance running on that server listening on port 8140 and round-robining the requests from puppet clients. This works fine for all my existing client machines. The problem is that when adding a new machine I get errors like this: puppetd --test -v --server puppet --waitforcert 60 warning: peer certificate won't be verified in this SSL session err: Could not request certificate: sslv3 alert handshake failure -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Chained puppet servers
On Sep 16, 2010, at 10:56 AM, Jewels wrote: I think this should work - but I don't want to break production - so.. There are several firewalls involved, but I can open 8140 as needed. So if I have a master server in one subnet and a client/master in another net - here is what I am thinking. The first master is well protected, call it A and the 2nd is B which has both the client and Master server on it. I want the B client to point to A-master and be able to get updated files. But as those files are updated on B, the B-Master will service those same groups of files/configs, etc, out to a whole other group of clients.. Any issues or problems with this that anyone can think of? Basically, it won't work with a stock install without some tweaking. A client and server can not share a ssldir unless they share a CA. A simple solution is to define ssldir to be /var/lib/puppet/client_ssl in [puppetd] and /var/lib/puppet/server_ssl in [puppetmasterd]. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Chained puppet servers
On Thu, Sep 16, 2010 at 6:03 PM, Patrick kc7...@gmail.com wrote: On Sep 16, 2010, at 10:56 AM, Jewels wrote: I think this should work - but I don't want to break production - so.. There are several firewalls involved, but I can open 8140 as needed. So if I have a master server in one subnet and a client/master in another net - here is what I am thinking. The first master is well protected, call it A and the 2nd is B which has both the client and Master server on it. I want the B client to point to A-master and be able to get updated files. But as those files are updated on B, the B-Master will service those same groups of files/configs, etc, out to a whole other group of clients.. Any issues or problems with this that anyone can think of? Basically, it won't work with a stock install without some tweaking. A client and server can not share a ssldir unless they share a CA. A simple solution is to define ssldir to be /var/lib/puppet/client_ssl in [puppetd] and /var/lib/puppet/server_ssl in [puppetmasterd]. I reckon that if you're doing this, you may as well set up an entirely new $vardir for the puppetmaster. I take it you're going to be doing lots of recursive file copies from A to B which will then serve them as puppet manifests ? What's the actual problem you're trying to solve with this? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] SSL Chaining puppet 2.6.1 passenger and apache
Hi list,
have an issue which I haven't been able to find a definitive answer
for after searching list.
I have upgraded from 2.5 to 2.6 and problem I have existed with 2.5 so
this is not related to the new release. (running on F12/Centos5.5).
The puppetmaster works fine with my certificates using the internal
webrick server.
I've put apache and passenger in place and I get this difference in
the certificate chain, which I assume is my problem. Can this be
solved without regenerating all the certificates or is there something
I'm missing from my configs (puppet.conf refreshly generated with
puppetd --genconfig)?
## puppetmaster/webrick:
openssl s_client -connect puppet.int.example.com:8140
CONNECTED(0003)
depth=1 CN = au-mel-master-1.int.example.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=au-mel-master-1.int.example.com
i:/CN=au-mel-master-1.int.example.com
1 s:/CN=au-mel-master-1.int.example.com
i:/CN=au-mel-master-1.int.example.com
## puppet passenger/apache
openssl s_client -connect puppet.int.example.com:8140
CONNECTED(0003)
depth=1 CN = ca
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=au-mel-master-1.int.example.com
i:/CN=ca
1 s:/CN=ca
i:/CN=ca
I have copy and pasted from the /usr/share/puppet/ext directories the
default configurations making slight changes depending on my setup.
[r...@au-mel-master-1 ~]# cat /etc/httpd/conf.d/puppetmasterd.conf
# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off
Listen 8140
VirtualHost *:8140
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCertificateFile /var/lib/puppet/ssl/certs/au-mel-
master-1.int.example.com.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/au-mel-
master-1.int.example.com.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile/var/lib/puppet/ssl/ca/ca_crt.pem
# CRL checking should be enabled; if you have problems with Apache
complaining about the CRL, disable the next line
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
# The following client headers allow the same configuration to
work with Pound.
# RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
# RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
# RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
RackBaseURI /
Directory /usr/share/puppet/rack/puppetmasterd/
Options None
AllowOverride None
Order allow,deny
allow from all
/Directory
/VirtualHost
# a config.ru, for use with every rack-compatible webserver.
# SSL needs to be handled outside this, though.
# if puppet is not in your RUBYLIB:
# $:.unshift('/opt/puppet/lib')
$0 = master
# if you want debugging:
# ARGV --debug
ARGV --rack
require 'puppet/application/master'
# we're usually running inside a Rack::Builder.new {} block,
# therefore we need to call run *here*.
run Puppet::Application[:master].run
The result from the puppetd run on a normally working client is:
sudo puppetd --test --verbose
info: Retrieving plugin
err: /File[/var/lib/puppet/lib]: Failed to generate additional
resources using 'eval_generate': certificate verify failed
err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of
resource: certificate verify failed Could not retrieve file metadata
for puppet://puppet/plugins: certificate verify failed
info: Loading facts in nfs_home
info: Loading facts in nfs_home
err: Could not retrieve catalog from remote server: certificate verify
failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
puppet.conf:
publickeydir = /etc/puppet/ssl/public_keys
authconfig = /etc/puppet/namespaceauth.conf
httplog = /var/lib/puppet/log/http.log
privatedir = /etc/puppet/ssl/private
libdir = /var/lib/puppet/lib
hostcert = /etc/puppet/ssl/certs/au-mel-
master-1.int.example.com.pem
pluginsource = puppet://puppet/plugins
localcacert = /etc/puppet/ssl/certs/ca.pem
factpath = /var/lib/puppet/lib/facter:/var/lib/puppet/facts
certdir = /etc/puppet/ssl/certs
rundir = /var/lib/puppet/run
requestdir = /etc/puppet/ssl/certificate_requests
passfile = /etc/puppet/ssl/private/password
hostprivkey = /etc/puppet/ssl/private_keys/au-mel-
master-1.int.example.com.pem
hostcrl = /etc/puppet/ssl/crl.pem
factdest = /var/lib/puppet/facts/
logdir = /var/lib/puppet/log
statedir = /var/lib/puppet/state
ssldir = /etc/puppet/ssl
Re: [Puppet Users] SSL Chaining puppet 2.6.1 passenger and apache
On Sep 16, 2010, at 9:11 PM, denmat wrote: Hi list, have an issue which I haven't been able to find a definitive answer for after searching list. I have upgraded from 2.5 to 2.6 and problem I have existed with 2.5 so this is not related to the new release. (running on F12/Centos5.5). The puppetmaster works fine with my certificates using the internal webrick server. I've put apache and passenger in place and I get this difference in the certificate chain, which I assume is my problem. Can this be solved without regenerating all the certificates or is there something I'm missing from my configs (puppet.conf refreshly generated with puppetd --genconfig)? Your passenger config is pulling certs from /var/lib/puppet/ssl and webrick is pulling certs from /etc/puppet/ssl so they should be operating differently. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: SSL Chaining puppet 2.6.1 passenger and apache
You are correct. Many thanks Patrick. On Sep 17, 3:10 pm, Patrick kc7...@gmail.com wrote: On Sep 16, 2010, at 9:11 PM, denmat wrote: Hi list, have an issue which I haven't been able to find a definitive answer for after searching list. I have upgraded from 2.5 to 2.6 and problem I have existed with 2.5 so this is not related to the new release. (running on F12/Centos5.5). The puppetmaster works fine with my certificates using the internal webrick server. I've put apache and passenger in place and I get this difference in the certificate chain, which I assume is my problem. Can this be solved without regenerating all the certificates or is there something I'm missing from my configs (puppet.conf refreshly generated with puppetd --genconfig)? Your passenger config is pulling certs from /var/lib/puppet/ssl and webrick is pulling certs from /etc/puppet/ssl so they should be operating differently. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Re: SSL Chaining puppet 2.6.1 passenger and apache
On Sep 16, 2010, at 10:37 PM, denmat wrote: You are correct. Many thanks Patrick. You're welcome. I'd advise you so trim down your config file right after you get it working. Yours is really unmanageable. Here's mine: [main] logdir=/var/log/puppet vardir=/var/lib/puppet ssldir=/var/lib/puppet/ssl rundir=/var/run/puppet factpath=$vardir/lib/facter [puppetmasterd] templatedir=$confdir/templates ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY [puppetd] report=true pluginsync=true listen=true On Sep 17, 3:10 pm, Patrick kc7...@gmail.com wrote: On Sep 16, 2010, at 9:11 PM, denmat wrote: Hi list, have an issue which I haven't been able to find a definitive answer for after searching list. I have upgraded from 2.5 to 2.6 and problem I have existed with 2.5 so this is not related to the new release. (running on F12/Centos5.5). The puppetmaster works fine with my certificates using the internal webrick server. I've put apache and passenger in place and I get this difference in the certificate chain, which I assume is my problem. Can this be solved without regenerating all the certificates or is there something I'm missing from my configs (puppet.conf refreshly generated with puppetd --genconfig)? Your passenger config is pulling certs from /var/lib/puppet/ssl and webrick is pulling certs from /etc/puppet/ssl so they should be operating differently. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
