[Puppet Users] Using puppet cert generate on a client -- why doesn't this work?

2012-02-27 Thread Rich Rauenzahn 
I'm running a two headed puppetmaster and have disabled crl's.   Let's
call them the primary and the secondary.  The primary and secondary
both use the primary as their master.  The secondary only is used when
the primary isn't responding (I wrap the puppetd call in cron with a
short shell script)

I'm managing these ca files on the masters, pushing them with puppet itself...

$ grep file\ { certs.pp
file { /var/lib/puppet/ssl/ca/ca_crt.pem:
file { /var/lib/puppet/ssl/ca/ca_key.pem:
file { /var/lib/puppet/ssl/ca/private/ca.pass:
file { /var/lib/puppet/ssl/certs/ca.pem:
file { /var/lib/puppet/ssl/ca/ca_crl.pem:  (ensures absent, we
don't need them in our environment.)

Then, in order to generate the ssl certs for the webservice, I generate this:

# If this isn't working, try puppet cert clean $::fqdn first
exec {/usr/bin/puppet cert --generate --certdnsnames $aliases $::fqdn:
creates = [/var/lib/puppet/ssl/certs/${::fqdn}.pem,
/var/lib/puppet/ssl/private_keys/${::fqdn}.pem,
/var/lib/puppet/ssl/public_keys/${::fqdn}.pem,
/var/lib/puppet/ssl/ca/signed/${::fqdn}.pem,
   ],
user= root,
notify  = Service['httpd'],
}

I create these manually so I can pass the --certdnsnames $aliases for
the puppetmaster DNS cname.

This seems to work fine for the primary.  But when the secondary tries
to run against the primary, it fails with

err: /File[/var/lib/puppet/lib]: Failed to generate additional
resources using 'eval_generate: certificate verify failed
err: /File[/var/lib/puppet/lib]: Could not evaluate: certificate
verify failed Could not retrieve file metadata for
puppet://primary/plugins: certificate verify failed

I would think that the certs would be good because I generate them
with the exact same CA's as the primary.  If I remove the certs and go
through a normal signing process, it works.  It is only when I use
puppet cert --generate on the secondary do the certs fail.

I'm almost considering running puppet cert --generate with --ssldir to
point it someplace else to generate certs with cnames ONLY for the web
server (apache), and then have another set of certs in the normal
place generated for client/master signing.

But it is bothering me that I don't understand what is going on.  How
does signing work?

My impression is that the client connects to the SSL port on the
master, verifies that the SSL keys are good (validates against
/var/lib/puppet/ssl/certs/ca.pem for authenticity and verifies it has
the right hostname signed (or aliased)).

What happens next?  Does the client present a cert also signed by the
CA to prove it is allowed to perform queries?

What's the cleanest way around this?

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Software inventory

2011-09-21 Thread Rich Rauenzahn 
On Wed, Sep 21, 2011 at 9:45 AM, Glenn Bailey
replic...@dallaslamers.org wrote:
 Howdy,

 Before I go about writing one myself, anyone out there written a
 software inventory module/fact for gathering a list of all installed
 rpms/debs on a system? Got a few ideas floating around in my head, but
 wanted to see if/what other folks have done ..

We've written some custom facts that return a JSON string and then we
wrote a custom function that uses PSON.parse() to process and return
the native data.  Since puppet supports arrays and dictionaries, this
works well.

One problem is if you have any Nones/Nulls in your JSON, PSON.parse()
doesn't handle them right.  Once bubbled up to puppet, they don't come
out as undef.. they come out as some strange type that puppet doesn't
recognize as false yet has no value.   So we post process the
PSON.parse() and clean out the Ruby nil's and just make them .

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: scoping question - I want a node specific global var

2011-08-17 Thread Rich Rauenzahn 
On Tue, Aug 16, 2011 at 4:46 PM, Scott Smith sc...@ohlol.net wrote:
 Some times doing things the right way requires going through the pain of
 changing your current practices for the better.

Sometimes your schedule doesn't allow you to refactor that much right now.

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: scoping question - I want a node specific global var

2011-08-17 Thread Rich Rauenzahn 
On Wed, Aug 17, 2011 at 6:44 AM, jcbollinger john.bollin...@stjude.org wrote:
 * We're not using ENC


 Fair enough.  I don't use one either, but it was worth pointing out
 the possibility.

Yes, and it is an additional argument to migrate there eventually.

 * I want the special information right alongside the node decl.  This
 reduces chance for error and makes the data more maintainable.


 So that's the constraint that is really biting you, in more ways than
 one, and I feel obligated to observe that it is a style / practices
 issue, not an infrastructure issue.

But it is a good style.  It is bad style to spread the information in
several places where they can get out of sync with each other.  We did
our best to deploy our puppet deployment according to the best
practices at the time, and it would even still work with the current
version of puppet; I just don't want to depend on dynamic scoping
which is going away.

Yes, the ENC solves that, but I need a workaround now, not later after
we've migrated to ENC. We have a deadline for implementing the
failover and I'm trying to find the cleanest interim solution.

 Ok, so that rules out regex hostname matching, both in node
 declarations and in selector expressions.  It makes it less palatable,
 but by no means impossible to use a selector somewhere to choose a
 value for $failover.  It remains your stipulation that $failover be
 assigned in the node declaration that narrows your options here.

Yes - I don't want the failover variable buried in manifests further
below.  It is an attribute of the node, not the classes the node
includes.

 Your constraint that the failover information be in the node
 declarations is again what's driving you here.  It is not consistent
 to insist that node declarations must contain more information, but at
 the same time complain that they become longer / more complex.

It is consistent if I have to jump through hoops of making them more
complex just to set an attribute :)

 Maybe the answer is to make a case statement in the nodes.pp that sets
 $IMSPECIAL globally based on the hostname... which was one of your
 suggestions.  But I don't like maintaining two lists of host regex's,
 which could get out of date.

 Is there no specifier to reach my node's scope?   i.e.,
 $mynode::IMSPECIAL?  Maybe in Ruby?


 Only dynamic scoping, as far as I know, and that's going away.  Also,
 it doesn't work with node inheritance the way you would like it to do.

That's unfortunate.. 'cause I can refer to an arbitrary class with
$foo::var.  I'd hoped there was some scoping sugar to refer to my node
scope.

I can refer to my parent class by name, so I 'd think it natural to
want to refer to node scopes.

node a { include c }

class b { $b = 1 }

class c inherits b {  notice($b::b)  }

or

class b {
  $b = 1
  notice($c::c)
}

class c {
  $c = 2
  include b
  notice($b::b)
}

 It may be that Hiera provides a way to paper over this problem.  I

We'll definitely check out Hiera someday, but right now isn't the time.

 Alternatively, you could drop the plan to use node inheritance.  You
 must have a viable plan for identifying your failover nodes by their
 hostnames (even if its just knowing specific names),

We have specific names, but it is prone to error as we add more.  I'm
not the only one maintaining this puppet environment.  The real
problem is that we deployed this failover site using the same naming
conventions as non-failover systems in the same datacenter.

We do have a machine database that we query inside of puppet to make
some variables... i.e., $machine_database::location,
$machine_database::category.  I think THAT is how we're going to have
to solve this problem for now -- which is sort of like solving it with
an ENC.  Eventually we want to have this db drive the ENC anyway.

 for your original
 idea is predicated on such a plan.  Therefore, instead of applying
 that logic to choose which node declaration to apply, you can instead
 use it either within node declarations or without to set your magic
 variable or class parameter, or to include a different / extra class.
 For example:

 node /.*our-db\d+/     {
  $failover = $hostname ? { /our-db\d+/ = false, default = true }
  include system:our_db
 }

I'm not following -- doesn't that example have the same problem?   The
variable $failover has no visibility outside of this scope.

Anyway, discussing it more internally, we're going to use an attribute
of the machine database.

Thanks for all the suggestions -- saves me time from heading down wrong paths!

Rich

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: scoping question - I want a node specific global var

2011-08-16 Thread Rich Rauenzahn 
On Tue, Aug 16, 2011 at 6:23 AM, jcbollinger john.bollin...@stjude.org wrote:
[Lots of good ideas]

 Of those, I would recommend either extlookup() or your ENC (if you
 have one), with my personal preference being extlookup().  I think
 Hiera may offer an even better solution (though similar to
 extlookup()), but I'm not familiar enough with it to feel comfortable
 recommending it.

Unfortunately I've thought of some of those and they don't quite fit
with our existing infrastructure.

* We're not using ENC
* I want the special information right alongside the node decl.  This
reduces chance for error and makes the data more maintainable.

Let me give more background:

We have a nodes.pp with a lot of hosts in it.  We map a nodename to a
single class...

node /our-squid\d+/ { include system:our_squid }
node /our-db\d+/ { include system:our_db }

and so on.

We are making a failover site.

node /special-our-squid\d+/ { include system::our_squid}
node /special-our-db\d+/ { include system::our_db }

I don't want to confuse the issue with more details, but due to some
legacy naming conventions, we can't (..shouldn't...) use /^special-*/
to determine the sites are failover.  We would like the attribute in
puppet.

I could do class { system::our_db: failover = failover }, except I
want that failover attribute within the class that system::our_db
derives from.

class system {
  // Am I special?
}

class system::our_db($failover) inherits system {
   // Am I special, too?
}

So ideally (except that this won't work with the new scoping rules in
the future), I'd like to

node /special-our-db\d+/ { $SPECIAL=true
  include system::our_db }

Now, I could make a class

class special($yesorno = false) {
   $SPECIAL = $yesorno
}

and include that in all nodes, and change it to false in the special
nodes  It isn't very elegant and makes our node file a lot
messier.  Each node is two lines now.. there must be a more elegant
solution.

Maybe the answer is to make a case statement in the nodes.pp that sets
$IMSPECIAL globally based on the hostname... which was one of your
suggestions.  But I don't like maintaining two lists of host regex's,
which could get out of date.

Is there no specifier to reach my node's scope?   i.e.,
$mynode::IMSPECIAL?  Maybe in Ruby?

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] scoping question - I want a node specific global var

2011-08-15 Thread Rich Rauenzahn 
Is it possible to do something like this within the new scoping rules?
 It seems that $::IMSPECIAL doesn't refer to the decl in node a.  And
I can't use class parms as the variable is evaluated in a base class.

Suggestions?  Currently using puppet 2.7.1

node a {
   $IMSPECIAL=true
   include foo
}

class bar {
   if $IMSPECIAL {
  notice(I'm special!)
   }
}

class foo inherits bar {

   // other stuff...

}

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: Not getting errors/warnings/etc in reports

2011-08-01 Thread Rich Rauenzahn 
On Thu, Jul 21, 2011 at 7:37 AM, Peter Meier peter.me...@immerda.ch wrote:
 I'm still not getting my error() messages in the report yaml ... why?

 Probably, because functions are evaluated on the master, while the
 report is created on the client when the catalog is applied. So these
 messages never get sent down the client...

 ~pete

Ah, yes, that makes sense I guess.  Puppet.error() calls within the
resources executed on the clients get added to the client report, but
Puppet.error() calls executed during compile time don't because they
executed on the server.

For now I've done:

define report::err($withpath=false) {
notify { $name:
tag  = 'err',
withpath = $withpath,
loglevel = 'err',
}
}

It's a little annoying because it causes the creation of this resource
to also be logged with loglevel = err, along with the message.  But I
think I can live with that.

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: Not getting errors/warnings/etc in reports

2011-07-20 Thread Rich Rauenzahn 
On Tue, Jul 19, 2011 at 11:03 AM, Rich Rauenzahn rraue...@gmail.com wrote:
 I assumed this would have been fixed by 2.7.1, but it appears that
 when we call the functions err(), warning(), etc., that they don't get
 added to the report object, which we are using to generate nagios
 alerts.

 I'm guessing I'll have to write my own to do that -- does anyone have
 any examples of logging the error message and also adding it to the
 report object?   (... and I don't really want to use the exec {
 /bin/false: } workaround)

Digging through the code it looks like puppet adds messages internally
using Puppet.warning(), Puppet.error(), so I made a custom function to
call these directly.

I'm still not getting my error() messages in the report yaml ... why?
And is there any workaround?

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Not getting errors/warnings/etc in reports

2011-07-19 Thread Rich Rauenzahn 
I assumed this would have been fixed by 2.7.1, but it appears that
when we call the functions err(), warning(), etc., that they don't get
added to the report object, which we are using to generate nagios
alerts.

I'm guessing I'll have to write my own to do that -- does anyone have
any examples of logging the error message and also adding it to the
report object?   (... and I don't really want to use the exec {
/bin/false: } workaround)

Rich

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] puppet never finishing when there are thousands of resources

2011-07-12 Thread Rich Rauenzahn 
We are using puppet to export nagios resources (now we're using file
resources to represent them) and the number of resources is probably
in the thousands -- our puppet runs take 6GB (on the client side) and
then just sort of spin forever (it's been running for a couple of
hours now -- and no, we're not paging.)

We're using puppet 2.6.4 and ruby 1.8.6 -- upgrading is on our
roadmap, but we need to fight a few other fires first.

Anyone have any suggestions for fixing this?  Or how to mitigate this?
 I wonder if something isn't scaling -- like maybe the number of edges
in the puppet DAG is increasing exponentially

Rich

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] imports, defined(), and conflicts

2011-06-29 Thread Rich Rauenzahn 
We're trying to write a rule that  imports a bunch of nagios
Nagios_host rules.  But then we take a list of machines and add
Nagios_host rules for them as well.  Some of the systems might
overlap, and we were hoping to use puppet to weed them out.

We assumed if we did

class a {
Nagios_host 
Nagios_service 
}

class b {
...
if ! defined Nagios_host[$a_host] {
   nagios_host { $a_host: ...}
   nagios_service { ... }
}
...
}

include a
include b

That we could count on using the defined() function to determine
whether something was already defined and define it if it isn't.

This isn't working -- we get a duplicate nagios_service entry, which
tells me either one of our hosts in registering a nagios_service,
without a nagios_host entry, or I can't count at all on the evaluation
order of 's and resource definitions.

I just verified the node has a nagios_host defined.  Is there any
other way around this problem?  (I have some other ideas, like a
concat file with the hosts defined and the grep -v'ing them.. but was
hoping for something more elegant.)

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] exporting resources that aren't built-in resources...

2011-06-22 Thread Rich Rauenzahn 
We seem to be able to export resources (and import them) just fine if
they are basic resources, like nagios_* -- but we don't seem to be
able to do it with defines, like @@concat::fragment.

$ puppet -V
2.6.4

Is this a bug?  Intended behavior?  Are we doing something wrong?

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: exporting resources that aren't built-in resources...

2011-06-22 Thread Rich Rauenzahn 
On Wed, Jun 22, 2011 at 3:03 PM, Rich Rauenzahn rraue...@gmail.com wrote:
 We seem to be able to export resources (and import them) just fine if
 they are basic resources, like nagios_* -- but we don't seem to be
 able to do it with defines, like @@concat::fragment.

 $ puppet -V
 2.6.4

 Is this a bug?  Intended behavior?  Are we doing something wrong?

ugh.  We were only using a single  not a .

nevermind

Rich

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] any better way to manage access control via /etc/passwd

2011-04-11 Thread Rich Rauenzahn 
On Mon, Apr 11, 2011 at 7:30 PM, hai wu haiwu...@gmail.com wrote:
 We need to manage /etc/passwd where there would be one line at the very end
 of the file to restrict access to all users not explictly allowed:

 +::/sbin/nologin

 If using delete_lines and append_if_no_such_lines (similar to this one at
 http://www.debian-administration.org/articles/528) to manage access control,
 each time a few new users got appended to /etc/passwd file, the above line
 would be deleted and appended, for many times, while it only needs to be
 done once.

 Any better way to manage this file in terms of access control? Augeas is
 buggy and I filed a bug report on this already.


I just dealt with this in our puppet config -- I wrote a
nis_modify_passwd script that has a --checkonly flag (for the exec's
onlyif condition), and a --add function.  I used

lckpwdf (3)  - get shadow password file entry
ulckpwdf (3) - get shadow password file entry

to lock the passwd file during the change -- and made sure not to edit
the passwd file in place -- I make a 2nd copy, then mv it into place
to ensure it works when out of diskspace.

BUT.. after doing all of this, I later realized that in the
nsswitch.conf, 'compat' mode for /etc/passwd sets the default for NIS
to not allow anyone unless explicitly added to the /etc/passwd.  So
another way to deal with this is to change your nsswitch.conf to be
'compat' and not 'files nis'.

In other words, 'files nis' more or less does a #include of all NIS
users, so you have to added an explicit global /sbin/nologin to your
passwd file -- but 'compat' allows you to hand pick which NIS users
you want and defaults to nologin.

Unfortunately, useradd doesn't seem to handle +user's...

Rich

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Using puppet/augeas to manage config entry AND matching comment

2011-04-06 Thread Rich Rauenzahn 
Seems like Augeas doesn't have a really good concept of conf file
entry AND a comment that goes with it.  I can 'ins' a comment before
the configuration item, but every time augeas runs, it will add
another.

I can re-'set' the comment before the existing configuration item, but
that won't work if the comment doesn't already exist.  Kind of a
chicken and egg.

This is what I have, and it doesn't work.  Probably the match fails on
the insert because the node doesn't exist at all -- too bad there
isn't an unless..

define sysctl::set($value, $comment=undef) {
include sysctl
$key = $name
if $comment {
$comment_use = $comment
} else {
$comment_use = Managed by puppet: $key = $value
}

$sysctl = '/files/etc/sysctl.conf'

augeas { sysctl::set $key = $value:
changes = [ set $sysctl/$key '$value, ],
notify  = Service['sysctl'],
}

augeas { sysctl::set insert comment for $key = $value:
changes = [ ins #comment before $sysctl/$key ],
onlyif  = match
$sysctl/#comment[following-sibling::*[1][self::$key]] size == 0,
require = Augeas[sysctl::set $key = $value],
}

augeas { sysctl::set change comment for $key = $value:
changes = [ set
$sysctl/#comment[following-sibling::*[1][self::$key]] '$comment_use'
],
onlyif  = match
$sysctl/#comment[following-sibling::*[1][self::$key]] size  0,
require = Augeas[sysctl::set $key = $value],
}

}

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: Using puppet/augeas to manage config entry AND matching comment

2011-04-06 Thread Rich Rauenzahn 
On Wed, Apr 6, 2011 at 11:14 AM, Rich Rauenzahn rraue...@gmail.com wrote:
 Seems like Augeas doesn't have a really good concept of conf file
 entry AND a comment that goes with it.  I can 'ins' a comment before
 the configuration item, but every time augeas runs, it will add
 another.

 I can re-'set' the comment before the existing configuration item, but
 that won't work if the comment doesn't already exist.  Kind of a
 chicken and egg.

This is a better approximation -- the only bug in this now (I think)
is that if the comment is cleared, but still exists, it will add
another one.  I could add an additional remove of the node if the size
is 0, before I insert, but I'm already invoking augeas more than I
want for one change.

define sysctl::set($value, $comment=undef) {
include sysctl
$key = $name
if $comment {
$comment_use = $comment
} else {
$comment_use = Managed by puppet: $key = $value
}

$sysctl = '/files/etc/sysctl.conf'

augeas { sysctl::set $key = $value:
changes = [ set $sysctl/$key '$value,
   ],
notify  = Service['sysctl'],
}

augeas { sysctl::set insert comment for $key = $value:
changes = [ ins #comment before $sysctl/$key,
 set
$sysctl/#comment[following-sibling::*[1][self::$key]] '$comment_use',
   ],
onlyif  = match
$sysctl/#comment[following-sibling::*[1][self::$key]] size == 0,
require = Augeas[sysctl::set $key = $value],
}

augeas { sysctl::set change comment for $key = $value:
changes = [ set
$sysctl/#comment[following-sibling::*[1][self::$key]] '$comment_use'
   ],
onlyif  = match
$sysctl/#comment[following-sibling::*[1][self::$key]] size  0,
require = Augeas[sysctl::set $key = $value],
}

}

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Re: returning a hash (json object) from custom function?

2011-03-16 Thread Rich Rauenzahn 
On Thu, Feb 10, 2011 at 8:35 AM, Peter Meier peter.me...@immerda.ch wrote:
 Could you file a bugreport[1], if there isn't yet one? Thanks!
 Then the chances are high that it will get fixed.

I'd love to, but so far no matter how many times I reset my password,
it thinks my login is invalid.

Rich

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] parsing (and returning) json data in puppet in custom function

2011-03-16 Thread Rich Rauenzahn 
I see there is a bug open about this,

http://projects.puppetlabs.com/issues/6621

but I can't login to puppetlabs.

define test() {
$foo3 = json_parse(bad|,'':)
notice($foo3)

$type = type($foo3) # our custom function that returns class
notice(type=$type)

if $foo3 ==  { notice(foo3 is '') }
if $foo3 == undef { notice(foo3 is undef) }
if !$foo3 { notice(foo3 is not true) }
if $foo3 { notice(foo3 is true) }

$foo4 = undef
if $foo4 == undef { notice(foo4 is undef) }
if $foo4 ==  { notice(foo4 is '') }

}

test { a: }

notice: Scope(Test[a]): type=NilClass
notice: Scope(Test[a]): foo3 is true
notice: Scope(Test[a]): foo4 is undef
notice: Scope(Test[a]): foo4 is ''

So nil from a custom function evaluates as true, and neither  nor undef.

The bug mentions ... (actually, I'll BCC Nigel, the author of that comment)

'and since we introduced the Ruby DSL, you’re free to incorporate
manifests that use the actual nil'

How?  Maybe that doesn't do what I hope it does..

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Trying to write a visudo checker

2011-03-04 Thread Rich Rauenzahn 

On 3/4/2011 12:23 AM, Alan Barrett wrote:

On Thu, 03 Mar 2011, Rich Rauenzahn wrote:
It seems someone got clever and decided to look at exec's and look 
for managed filenames in argument lists and create implicit 
dependencies from them?  Argh!


Yes, the unwanted dependencies are very annoying.  Using file names 
like /dir/subdir/./file instead of /dir/subdir/file is enough to fool 
the code that adds implicit dependencies.




Ah, what I did instead was just do exec = diff /.$path1 /.$path2.   I 
was imagining doing much more invasive methods last night.  Thanks!


--
You received this message because you are subscribed to the Google Groups Puppet 
Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Trying to write a visudo checker

2011-03-03 Thread Rich Rauenzahn 
This visudo checker I've written (based on some examples from the web
and puppet training materials) causes a dependency loop -- but only
when I include the unless = diff   It seems someone got clever
and decided to look at exec's and look for managed filenames in
argument lists and create implicit dependencies from them?  Argh!

I also tried just making the exec a refreshonly from the sudoers_check
file's notify, but then the sudoers file itself ignored the bad return
from the exec even though it requires = the exec.

My best solution so far is to just let the visudo run every time...

$ puppet --version
2.6.4

define sudo::fragment($source, $order=10) {
concat::fragment { ${name}_sudoers:
source = $source,
target = $sudo::config::sudoers,
}
concat::fragment { ${name}_sudoers_check:
source = $source,
target = $sudo::config::sudoers_check,
}
}

class sudo::config($sudoers=/etc/sudoers) {
$sudoers_check = ${sudoers}.check
}

class sudo {
include concat::setup
$sudoers = $sudo::config::sudoers
$sudoers_check = $sudo::config::sudoers_check
package { sudo:
ensure = installed,
}
concat { $sudoers_check:
owner   = root,
group   = root,
mode= 440,
warn= true,
}
exec { visudo -cf $sudoers_check:
path= /usr/sbin/:/usr/bin,
require = [Concat[$sudoers_check], Package[sudo]],
unless  = diff $sudoers $sudoers_check,
}
concat { $sudoers:
owner   = root,
group   = root,
mode= 440,
require = [Exec[visudo -cf $sudoers_check], File[$sudoers_check]],
warn= true,
}
}

class { sudo::config: sudoers = /tmp/sudoers }

sudo::fragment { ob:
source   = puppet:///modules/sudo/sudoers,
#source   = /etc/passwd,
 }

err: Could not apply complete catalog: Found dependency cycles in the
following relationships: Exec[visudo -cf /tmp/sudoers.check] =
File[/var/lib/puppet/concat/_tmp_sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers] =
File[/var/lib/puppet/concat/_tmp_sudoers/fragments], Exec[visudo -cf
/tmp/sudoers.check] =
File[/var/lib/puppet/concat/_tmp_sudoers/fragments], Exec[visudo -cf
/tmp/sudoers.check] = File[/tmp/sudoers], Exec[concat_/tmp/sudoers]
= File[/tmp/sudoers], File[/tmp/sudoers] = Exec[visudo -cf
/tmp/sudoers.check],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments] =
File[/var/lib/puppet/concat/_tmp_sudoers/fragments/10_ob_sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers] =
Exec[concat_/tmp/sudoers], File[/var/lib/puppet/concat/_tmp_sudoers]
= Exec[concat_/tmp/sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments] =
Exec[concat_/tmp/sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments] =
Exec[concat_/tmp/sudoers], Exec[visudo -cf /tmp/sudoers.check] =
Exec[concat_/tmp/sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments/10_ob_sudoers] =
Exec[concat_/tmp/sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat.out] =
Exec[concat_/tmp/sudoers],
File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat] =
Exec[concat_/tmp/sudoers], File[/var/lib/puppet/concat/_tmp_sudoers]
= File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat.out],
Exec[visudo -cf /tmp/sudoers.check] =
File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat.out],
File[/var/lib/puppet/concat/_tmp_sudoers] =
File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat],
Exec[visudo -cf /tmp/sudoers.check] =
File[/var/lib/puppet/concat/_tmp_sudoers/fragments.concat]; try using
the '--graph' option and open the '.dot' files in OmniGraffle or
GraphViz

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Keeping a directory clean at top level

2011-02-15 Thread Rich Rauenzahn 
Say we have a directory called /FOO-- we want to only have in it what
puppet puts into it. I want to remove any symlinks, empty directories,
or files in it that don't belong -- but only one level deep.  If the
subdirectory has content, I don't want it removed -- ideally, I'd like
a failure.  This is because we might have some systems misconfigured
(prior to deploying puppet) and we want to manually fix them -- the
content in /FOO/bar might be important.

Hmm - maybe this is a case for audit?  ...but doesn't seem to fit what
I want to do.  Maybe it doesn't work in command line mode since there
isn't a history recorded.

I've been trying

puppet resource file /tmp/empty_me ensure=directory purge=true
source=/tmp/empty recurse=true recurselimit=1 force=true

recurselimit=0 does nothing.  recurselimit=1 stll causes the
directory's contents to be removed.  Without force, empty directories
aren't removed.  Without recurse my directory isn't purged.

Any ideas?  Is this possible to do without making my own file resource type?

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] force directory to symlink, but only if empty

2011-02-14 Thread Rich Rauenzahn 
I was surprised to find that

file { $foo:
ensure = symlink,
target  = '/tmp/foo',
}

doesn't replace $foo if $foo is an empty directory.

Is there a particular combination of options to the file resource that
would replace the directory with the symlink if empty, but wouldn't
filebucket the contents and the directory if it wasn't empty?

recurse=false doesn't do it...

Rich

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] force directory to symlink, but only if empty

2011-02-14 Thread Rich Rauenzahn 
On Mon, Feb 14, 2011 at 5:20 PM, Nan Liu n...@puppetlabs.com wrote:
 On Mon, Feb 14, 2011 at 5:17 PM, Rich Rauenzahn rraue...@gmail.com wrote:
 I was surprised to find that

 file { $foo:
    ensure = symlink,
    target  = '/tmp/foo',
 }

 doesn't replace $foo if $foo is an empty directory.

 Is there a particular combination of options to the file resource that
 would replace the directory with the symlink if empty, but wouldn't
 filebucket the contents and the directory if it wasn't empty?

 See http://docs.puppetlabs.com/references/latest/type.html#file
 force = true

That is what I'm doing.  But force also empties the directory if it
has contents.  I don't want that.

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] returning a hash (json object) from custom function?

2011-02-07 Thread Rich Rauenzahn 
We have a command line utility that queries a database to get certain
facts about our hosts -- I wanted to write a custom function to obtain
all of those facts at once.  The tool outputs JSON and I wanted to
take that output and return a hash back into puppet where I could
access the facts like...

$a = host_info()

if $a['in_maintenance'] == 'yes' {
} ...

etc, etc.

Right now I'm getting:

can't convert Array into String at ... Which I assume means that
puppet is expecting a string back from the custom function.

Maybe I just need to make a fact out of these instead and prefix them
with foo_in_maintenance, etc., etc., etc., but I'd really rather use
structured data.

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: returning a hash (json object) from custom function?

2011-02-07 Thread Rich Rauenzahn 
Ok, I was mistaken.  Returning a hash works.  It would be helpful if
the ruby exceptions bubbled up to puppet reported the correct line
number from the ruby source -- if that is possible.

Rich

On Mon, Feb 7, 2011 at 4:18 PM, Rich Rauenzahn rraue...@gmail.com wrote:
 We have a command line utility that queries a database to get certain
 facts about our hosts -- I wanted to write a custom function to obtain
 all of those facts at once.  The tool outputs JSON and I wanted to
 take that output and return a hash back into puppet where I could
 access the facts like...

 $a = host_info()

 if $a['in_maintenance'] == 'yes' {
 } ...

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] certificate fails to verify

2011-02-06 Thread Rich Rauenzahn 
On Sat, Feb 5, 2011 at 7:54 PM, Tim Dunphy bluethu...@gmail.com wrote:
 Hello list!!

  I am a new puppet user and I am having trouble getting the server to
 verify the client cert. I know this has been covered before but I have
 tried several things and no luck as of yet.

This probably isn't your problem, but I want to post an experience I
had with getting the certificates to validate.

We inadvertently removed /var/lib/puppet/ssl on the puppetmaster and
needed to recertify all of the clients against the new CA the
puppetmaster created.  The clients would sort of half validate, but
still had cert errors.  I checked their clocks, I removed the ssl
directory on the client, I removed all the files in /var/lib/puppet --
nothing worked.

Finally I remembered our puppetmaster is front-ended by nginx  -- and
it also uses the puppet ssl keys -- and I hadn't restarted it since
changing the puppetmaster's keys, etc.

Once I restarted it, everything worked again.

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] failing with fail() without failing everything

2011-02-03 Thread Rich Rauenzahn 
We would like to have a default node applied to systems, but also
trigger a failure so that we notice the system in puppet-dashboard.

At the moment we're doing...

node default {
   include system_defaults
   fail($hostname doesn't have a node to apply to it)
}

Unfortunately this seems to fail before the system_defaults class can
be applied to the node (which we want applied every time).   And err()
doesn't propagate up to the dashboard.

Is there any way to accomplish what I want?

Rich

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] How to include the Scope(...) in a generated string?

2011-02-02 Thread Rich Rauenzahn 
I'd like to include similar information that notice() spits out in a
file I am generating -- basically so that anyone looking at the
generated file (actually a file fragment)  could trace it back to the
class that is generating the entry.

Using $name within the file fragment is the closest I am getting to
what I want -- is there anything better?

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] redefining resource with a fully qualified name

2011-01-26 Thread Rich Rauenzahn 
This works:

$ cat foo.pp

define aaa($x=1) {
  notice(\$x=$x)
}

class b {
   aaa { xxx: x=2 }
}

class c inherits b{
   Aaa[xxx] {  x=3 }
}

include c

--
But this doesn't:
--

$ cat foo.pp

define scope::aaa($x=1) {
  notice(\$x=$x)
}

class b {
   scope::aaa { xxx: x=2 }
}

class c inherits b{
   Scope:aaa[xxx] {  x=3 }
}

include c

The reason I want to do this is that I was writing my own define of
yumrepo -- I was hoping that if I fully qualified it (yum::yumrepo),
it wouldn't conflict with the default one.

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: redefining resource with a fully qualified name

2011-01-26 Thread Rich Rauenzahn 
On Wed, Jan 26, 2011 at 10:18 AM, Rich Rauenzahn rraue...@gmail.com wrote:
 class c inherits b{
    Scope:aaa[xxx] {  x=3 }
 }

I remember seeing an example now:

Scope:Aaa[xxx]

-- capitalize both components.

Rich

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.