How do we set up hieradata in beaker-rspec?
In my base machine, i have successful rspec-puppet unit tests with hieradata and hiera.yaml configured and working.
How do i bring in those setup configurations for hiera into my host machine that is a puppet agent installed by Beaker-rspec?
Please provide examples.
I now get
Error while evaluating a Function Call, Could not find data item service_name in any Hiera data file and no default supplied at /etc/puppetlabs/code/environments/production/modules/nodecheck/manifests/consul.pp
But i have this hieradata in my base machine, not sure how to scp to host.
Thanks in advance.
↧
how to setup hiera data in beaker-rspec
↧
sslv3 alert bad certificate after hardware changes
Hi!
Just replace some hardware on my puppet master, new motherboard.
Everything seems to be working just fine, however all my puppets are consistently failing with "sslv3 alert bad certificate".
I have read a lot of threads the simply encourage to delete all certificates and generate new ones. But I have a serious problem with that, I like to understand why things happen. Also, I hate to run things by hand on my nodes, that is why a got Puppet in the first place, this keeps happening from time to time, etc...
So, I am digging deeper to check what is going on.
If I run puppet agent -t, I get the error: SSL_connect returned=1 state=SSLv3 read server session ticket A: sslv3 alert bad certificate.
However, both client and server have the same ca certificate, nothing seems to have changed, by just digging a bit into the files.
I also run by hand the following command from the node:
openssl s_client -connect puppet:8140 -CAFile my-puppet-ca.pem
And I get a nice Verify return code: 0 (OK).
So, the problem does not seem to be the actual certificates, but something "puppety" going on...
any idea what could be going on?
I run puppet 3.8.x on Ubuntu.
↧
↧
evaluation error
Hi every one.
I'm new to puppet and I wanted to install and add ntp module from forge. everything was going well and I followed instruction from several site and youtube. but when I run "puppet agent --test" I got this error :
I installed puppet with the foreman and I add modules to hosts using foreman's GUI. please help me solve this problem. if I forget anything let me know.
↧
How does `apt::key` prevent duplicate keys?
The [puppetlabs-apt](https://github.com/puppetlabs/puppetlabs-apt/) manual states that the define`apt::key` makes use of the native type `apt_key`, but adds functionality to prevent duplicate keys.
After reading the [source of `key.pp`](https://github.com/puppetlabs/puppetlabs-apt/blob/master/manifests/key.pp) the only scenario to trigger these mechanisms is
apt::key { 'F9EA4996747310AE79474F44977C43A8BA684223':
ensure => 'absent',
}
apt::key { 'duplicate':
ensure => 'present',
id => 'F9EA4996747310AE79474F44977C43A8BA684223',
}
But if one would instead use the manifest
apt_key { 'F9EA4996747310AE79474F44977C43A8BA684223':
ensure => 'absent',
}
apt_key { 'duplicate':
ensure => 'present',
id => 'F9EA4996747310AE79474F44977C43A8BA684223',
}
this would also result in catalog compilation failure
Error: Evaluation Error: Error while evaluating a Resource Statement, Cannot alias Apt_key[duplicate] to ["F9EA4996747310AE79474F44977C43A8BA684223"] at [...].pp:5; resource ["Apt_key", "F9EA4996747310AE79474F44977C43A8BA684223"] already declared at [...].pp:1 at /[...].pp:5:1 on node [...]
So what is (or was) the use of the define `apt::key`?
**Update 1:** Even on Puppet 2.7/Ruby 1.8.7, a duplicate declaration of `apt_key` is not possible:
Duplicate declaration: Apt_key[F9EA4996747310AE79474F44977C43A8BA684223] is already declared in file [...].pp at line 8; cannot redeclare
**Update 2:** The [spec for `apt::key`](https://github.com/puppetlabs/puppetlabs-apt/blob/459f515/spec/defines/key_spec.rb#L283) describes the mechanism in question, but does not describe any additional features beyond the aforementioned.
↧
Connect to puppet master using http instead of https
Hi,
my objective is to make a puppet agent connect to puppet master using http, instead of https on a custom port.
I already achieved custom port forwarding using iptables but i am having problems with protocol switch.
Do someone have any tips?
Thank you,
Simello
↧
↧
Job for puppetserver.service failed because the control process exited with error code
this error is coming while starting puppetmaster service
↧
Could not evaluate: getaddrinfo: Name or service
This error happened occasionally.
We use command: puppet agent --server puppetmaster.com.tw --test
to assign the puppet master instead of specifying in puppet.conf.
Mostly, the sync process were normal. However, sometimes it happened while applying changes (not while retrieving catalog).
`Could not evaluate: getaddrinfo: Name or service not known Could not retrieve file metadata for puppet:///modules/app/lib/jackson-xc-1.9.2.jar: getaddrinfo: Name or service not known`
Environment:
Red Hat Enterprise Linux Server release 6.3 (Santiago)
Puppet Version: Open source 3.6.2
The Resources report are as bellow. Can anyone suggest any debug method?
Changed 50
Failed 1
Out Of Sync 50
Pending 0
Restarted 2
Unchanged 2361
Total 2411
↧
Timeout::Error how to trouble shooting
Recently, there were so many Timeout::Error occurred. But we have no idea if it is because that the server loading is too heavy.
Could not retrieve catalog from remote server: Timeout::Error
Could not evaluate: Timeout::Error Could not retrieve file metadata for puppet:///modules/xxxx/xxx.zip: Timeout::Error
Could not retrieve catalog from remote server: Timeout::Error
Could not retrieve catalog; skipping run
Could not evaluate: Timeout::Error Could not retrieve file metadata for puppet:///modules/xxx/xxxx: Timeout::Error
Could not evaluate: Connection timed out - connect(2) Could not retrieve file metadata for puppet:///modules/xxxx/extjs/resources/themes/images/gray/form/exclamation.gif: Connection timed out - connect(2)
We observed the puppet master loading that maximum is 60% when the timeout happened.
We can extend the configtimeout=600 to 10 min. but still the situation happens.
We did run puppet master upon Apache server, and if we do the it one by one. The sync time doesn't cost too much.
Config Retrieval 96.24 seconds
Exec 0.00 seconds
File 102.20 seconds
Filebucket 0.00 seconds
Notify 0.01 seconds
Schedule 0.00 seconds
Service 0.06 seconds
Total 198.51 seconds
Any method to find out how did the Timeout happend?
↧
Can I have multiple CA certificates in a Puppet master?
Hi,
In a few months, my CA certificate (created almost 5 years ago) will expire. I was looking the instructions on how to recreate the certs (https://docs.puppet.com/puppet/3.8/reference/ssl_regenerate_certificates.html).
Everything works fine, except one detail: I need to be able to support Puppet clients using the old certificates (with the old self-signed CA) for some time (about two weeks).
So, is there a way to have both CA certs (new and old) in the Puppet master, to accomplish this?
Thanks in advance!
Andres
↧
↧
puppet enterprise console not showing all paramaters for apache class
new to puppet. Trying to classify a group within puppet enterprise console (the web interface to puppet) and having limited success.
I am able to add the apache class to a group (after installing this module: https://forge.puppet.com/puppetlabs/apache), and pin it to a node/agent and apache successfully installs on the agents.
However some paramaters/options can not be set from within puppet enterprise console. For instance I can find no way to apache::vhost or add any paramaters to it.
I have also experienced this problem with other modules from the forge. I know I could write my own manifests and include them, but trying to utilize the web UI as much as possible (for a future sys admin to take over).
OS is Ubuntu 16.0.4 on master and agents.
↧
Compare catalog
How can I compare the catalog rendered by one puppetmaster with one rendered by another puppetmaster (puppetserver)? I wanna ensure both deliver the same catalog.
[The source code is not the same. (Pp language 3.8 → 4.x; usage of modern facts; code additions to serve both the old and new system)]
↧
Warning when I run puppet agent -t --server server1
Hi,
When I run puppet agent -t --server server1, I'm getting below warning:
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: undefined method `include?' for nil:NilClass
But after the command successful completed, I had run it again, this warning is gone.
I also checked the auth.conf file and it do included below contents in top of this file.
# allow nodes to retrieve their own node definition
path ~ ^/node/([^/]+)$
method find
allow $1
So I would need some help on this to see if I can fix this warning issue when I first time run this?
Thanks
Link
↧
Error: Could not request certificate: Failed to open TCP connection to puppet:8140 (getaddrinfo: Name or service not known)
Hello everyone,
Hello,
Here I am trying to learn to use Puppet to a future job and so I decide to mount a Lab in Vbox .
So I have two bridge machine
- Ubuntu puppet agent 192.168.0.5
- Debian puppet master server 192.168.0.14
So I ping the two machines with Ip and hostsmane .
telnet from my client on the server works but when I want to apply for a cert to my server I have the following message appears
Error: Could not request certificate: Failed to open TCP connection to puppet:8140 (getaddrinfo: Name or service not known)
Here my puppet.conf on puppet agent machine
>
[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/run/puppet
factpath=$vardir/lib/facter
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post
report=true
rundir=/var/run/puppet/
certname=debianserverpuppet
server=debianserverpuppet
environment=test
runinterval=50
[agent]
listen = true
[master]
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
My iptables :
rbo@rbo-VirtualBoxOpenClassRoom:/etc/puppet$ sudo iptables -L --line-number
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- debianserverpuppet 192.168.0.5 state NEW,ESTABLISHED tcp dpt:8140
2 ACCEPT tcp -- anywhere anywhere tcp dpt:8140 state NEW
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 192.168.0.5 debianserverpuppet state NEW,ESTABLISHED tcp spt:8140
↧
↧
Error: Could not request certificate: Failed to open TCP connection to puppet:8140 (getaddrinfo: Name or service not known)
Hello everyone,
Hello,
Here I am trying to learn to use Puppet to a future job and so I decide to mount a Lab in Vbox .
So I have two bridge machine
- Ubuntu puppet agent 192.168.0.5
- Debian puppet master server 192.168.0.14
So I ping the two machines with Ip and hostsmane .
telnet from my client on the server works but when I want to apply for a cert to my server I have the following message appears
Error: Could not request certificate: Failed to open TCP connection to puppet:8140 (getaddrinfo: Name or service not known)
Here my puppet.conf on puppet agent machine
>
[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/run/puppet
factpath=$vardir/lib/facter
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post
report=true
rundir=/var/run/puppet/
certname=debianserverpuppet
server=debianserverpuppet
environment=test
runinterval=50
[agent]
listen = true
[master]
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
My iptables :
rbo@rbo-VirtualBoxOpenClassRoom:/etc/puppet$ sudo iptables -L --line-number
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- debianserverpuppet 192.168.0.5 state NEW,ESTABLISHED tcp dpt:8140
2 ACCEPT tcp -- anywhere anywhere tcp dpt:8140 state NEW
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 192.168.0.5 debianserverpuppet state NEW,ESTABLISHED tcp spt:8140
↧
class assignment to nodes using command line
In my environment, we are controlling puppet runs a bit differently. we have tagged the available classes to nodes using node groups on PE console and running MCollective commands to trigger puppet run. In more different way, I have class version as tomcat_1.3, tomcat_1.4 etc.
E.g I have tagged tomcat_1.3 class to webserver classification group and it's working fine. But it's a tedious job when I have tomcat_1.4 class available and need to tag the new class to webserver and likewise 50 different node groups.
Is there any command available in PE to process class assignment using command line? I am sorry, if you find my question stupid. But this is my requirement and I am unable to find out a solution. I do not want to go with site.pp or hiera, command line is the only solution I am looking for.
↧
Possible to add 'refreshonly' functionality to a custom type/provider?
Hi,
Is there any way in Puppet to add functionality to a custom type/provider similar to the 'refreshonly' parameter of the Exec type?
I have a custom resource type that I only wish to be executed when notified by another resource.
Thanks
↧
Puppet CA Shared Certificate Guide: Scalable Puppet?
This setup was so simple to get off the ground and running.
Only a couple of configs and it works great, at least in my lab it does.
So the question is, where's the gotcha here. Will it work in production. Why do i need to centralize the ca if all the masters can sign certs.
If i'm right this should be a high availability installation of puppet that scales easily, i'm usually wrong so do hurt me too bad.
**Testing Environment**
puppet version: 4.6.2
puppetserver version: 2.5.0
Hostnames: puppetserver-01.vm, puppetserver-02.vm
DNS SRV record: puppetserver.vm
**Install packages**
puppetlabs-release-pc1-1.0.0-2.el7.noarch.rpm
puppetserver-2.5.0-1.el7.noarch.rpm
puppet-agent-1.6.2-1.el7.x86_64.rpm
**Shared Cert. Creation. The SSL Directory**
In puppet.conf add:
[main]
dns_alt_names = puppet, puppetserver.vm
Then run
# puppet cert generate --allow-dns-alt-names puppetserver.vm
**Remove dns-alt-names from puppet.conf**
We dont need this any more. Its purpose was just to create the shared cert.
**Point the webserver to the certificates**
Add the following to /etc/puppetlabs/puppetserver/conf.d/webserver.conf
webserver: {
access-log-config: /etc/puppetlabs/puppetserver/request-logging.xml
client-auth: want
ssl-host: 0.0.0.0
ssl-port: 8140
ssl-cert : /etc/puppetlabs/puppet/ssl/certs/puppetserver.vm.pem
ssl-key : /etc/puppetlabs/puppet/ssl/private_keys/puppetserver.vm.pem
ssl-ca-cert : /etc/puppetlabs/puppet/ssl/certs/ca.pem
ssl-cert-chain : /etc/puppetlabs/puppet/ssl/certs/ca.pem
ssl-crl-path : /etc/puppetlabs/puppet/ssl/crl.pem
}
**Optional Stuff**
Setup hiera.yaml
Copy puppet code
Setup autosign.conf
Disable IPv6
Firewall rule for 8140
**Start the server**
service puppetserver start
**Tar up the ssl directory.**
When deploying the next puppet master/ca server you'll need this.
**Launch your next puppetserver/ca node**
-extract the ssl directory
-set the permissions for the ssl directory
-modify the webserver.conf
-start the service.
**DONE**
With all your puppet servers behind a SVR record, you point the clients to this address.
Now they can sign their cert or receive their configuration from any server they hit.
↧
↧
Onlyif not functioning even when return is not "0"
I have an exec which executes a powershell command to stop and delete a service. It's dependent on an onlyif which is using powershell's "Get-Service" to check if the service exists. I can see that the Get-Service call is returning 1060 (service doesn't exist), but the command still attempts to execute.
Am I missing something here?
↧
Hiera Data Provider Classic vs Version 4 Interpolation Behavior
When a variable cannot be resolved in a configured path for hiera v4 the entire lookup fails and nothing is returned. In Hiera classic, the lookup would continue on using the next defined path.
Example v4 hiera.yaml:
---
version: 4
datadir: data
hierarchy:
- name: "Tier"
backend: yaml
path: "%{undefinedvariable}"
Example:
puppet lookup classes --node 'nodeone' --explain --merge unique
...
No such key: "undefinedvariable"
Is this expected behavior? My use case is that not all of my nodes in the same environment have identical facts and if a dynamic path contains a variable that cannot be resolved, I would like the lookup to continue and use the paths that contain variables that can be resolved. Basically, continue to function as Hiera classic does.
---
version: 4
datadir: data
hierarchy:
- name: "Tier"
backend: yaml
path: "%{undefinedvariable}"
Example:
puppet lookup classes --node 'nodeone' --explain --merge unique
...
No such key: "undefinedvariable"
Is this expected behavior? My use case is that not all of my nodes in the same environment have identical facts and if a dynamic path contains a variable that cannot be resolved, I would like the lookup to continue and use the paths that contain variables that can be resolved. Basically, continue to function as Hiera classic does.
↧
How do you use the WSUS Module client to configure WSUS settings on Puppet Agent servers?
I am using Puppet Enterprise with Puppet Master installed on CentOS 7.2. I have installed the WSUS Module.
I created a module for this manifest to go into. I have a manifest like this:
class { 'wsus_client':
server_url => http://x.x.x.x:pppp',
auto_update_option => "Scheduled",
scheduled_install_day => "Wednesday",
scheduled_install_hour => 3,
}
When I run Puppet Agent there are no errors. Other manifests work. The above manifest does not work. There is no evidence it ran. The Local Group Policy editor screen (using the MMC) shows settings that are different from above. The registry settings associated with these WSUS settings are different from both the Local Group Policy editor settings AND the corresponding manifest's declarations above.
Group policy is not used on the Windows servers on my network.
Why aren't the settings in the manifest above working? Other manifests created in the same fashion without the WSUS module work just fine. My Puppet Agent runs with the -d flag. In the verbose output, I see no clues.
↧