Report is receiving only when run 'puppet agent -t' manually on node. puppet_interval time is 30 min and puppet is working fine as show in log but foreman didn't receive report automatically.
Why foreman is not receiving report automatically on every run of puppet. ?
↧
Report is not working
↧
Can metadata.json include dependencies of git modules
Module 'A' depends on module 'B' and they both are in git - Is there a way to include them in metadata.json - Or does metadata.json only accept dependencies of modules that are in the puppet forge? Please provide examples. Thank you!
↧
↧
Connection Issues on Puppet
When I do puppet agent -t on the agent, I am seeing the following. It happened recently all of a sudden. Few things to mention:
1. The Puppet master and agents are all up and running.
2. The certificate is successfully signed.
Puppet master version 4.3.1
Puppet agent version 3.8.4
OS RedHat, 6 on master, 7 on some agents.
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: Connection refused - connect(2)
Info: Retrieving pluginfacts
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': Connection refused - connect(2)
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://vengcjn501.mmm.com/pluginfacts: Connection refused - connect(2)
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': Connection refused - connect(2)
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://vengcjn501.mmm.com/plugins: Connection refused - connect(2)
Info: Loading facts
Error: Could not retrieve catalog from remote server: Connection refused - connect(2)
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: Connection refused - connect(2)
↧
Uninstalling programs in windows that are less than X version
Hi puppeters,
I am working on some puppet manifests to manage windows machines, and so , for a while I was installing 7zip -for example- using this method:
> package { '7-Zip 9.20 (x64 edition)':
- ensure => installed,
- source => 'http://downloads.sourceforge.net/sevenzip/7z920-x64.msi',
- provider => 'windows'
- }
Now I have changed that, so chocolatey will be managing this install .
-The thing here- is; I want to change my puppet manifest to remove the 7zip old version (no matter what old version is that, because I am managing a big number of machines), I thought to try matching with a regex any package that has a version less than ‘7zip 16.02.0.20160811' but that turned up too complicated , is there any way i can achieve the same goal with less effort , (Also I know that i can do the same with a batch file), but i want a more cleaner solution to that.
↧
Is it appropriate to have commands in your params.pp class
Hello,
I have a puppet module that ensures that an rpm is installed. If it is not installed it will install it in a default location (prefix). If it is installed it will make sure that the rpm is installed correctly with all correct files in either the default directory or the directory that was specified with the relocate option when the rpm was installed. I need to be able to check where the rpm was installed in my module.
In my params.pp class I am running a command to identify the location of the install
$cmd1 = "rpm -qa --queryformat '%{FILENAMES}' anf_jvmtop"
$specified_install_path = inline_template("<%= %x{$cmd1} %>")
if $specified_install_path == '' {
$base = "/path"
}
else {
$base = $specified_install_path
}
This basically returns the $base which is the prefix of the install like 'usr/bin' or wherever the user installed it.
Is this an appropriate usage of params.pp? I am rather new to puppet and every params.pp class I see has simple facts displayed. I thought about using an external fact but I don't want to have to put those on the puppet master and I think there is a simpler solution.
thanks,
↧
↧
W2K8R2 puppet agent errors on second run - File exists - C:/ProgramData/PuppetLabs/puppet/var/facts.d
I consistently get the following on a second and all subsequent puppet agent runs after a puppet agent 3.6.2 install on a a Windows 2008R2 OS:
PS C:\Users\Administrator>& 'C:\Program Files (x86)\Puppet Labs\Puppet\bin\puppet.bat' agent -t
Error: Could not set 'directory' on ensure: File exists - C:/ProgramData/PuppetLabs/puppet/var/facts.d
Error: Could not set 'directory' on ensure: File exists - C:/ProgramData/PuppetLabs/puppet/var/facts.d
Wrapped exception:
File exists - C:/ProgramData/PuppetLabs/puppet/var/facts.d
Error: /File[C:/ProgramData/PuppetLabs/puppet/var/facts.d]/ensure: change from absent to directory failed: Could not set 'directory' on ensure: File exists - C:/ProgramData/PuppetLabs/puppet/var/facts.d
Error: Could not prepare for execution: Got 1 failure(s) while initializing: File[C:/ProgramData/PuppetLabs/puppet/var/facts.d]: change from absent to directory failed: Could not set 'directory' on ensure: File exists - C:/ProgramData/PuppetLabs/puppet/var/facts.d
↧
scheduled_tasks list
Hi,
I am using scheduled_task to create some tasks to be run as Domain\user, I am having the following questions:
- scheduled_task created but does not
show up in Task Scheduler Library, am
I missing something? Does
- scheduled_task creates task by default
with option Run User logged in or
not?
- I am unable to see all the system scheduled task when I try 'puppet resource scheduled_task', can see only few of them. Is it something related to permissions?
Thanks !
↧
scheduled_task created but not showing up in task scheduler
Hi,
I am using scheduled_task to create some tasks to be run as Domain\user, I am having the following questions:
- scheduled_task created but does not
show up in Task Scheduler Library, am
I missing something? Does
- scheduled_task creates task by default
with option Run User logged in or
not?
- I am unable to see all the system scheduled task when I try 'puppet resource scheduled_task', can see only few of them. Is it something related to permissions?
Thanks !
↧
overwrite fact osfamily
Puppet Agent Version: 4.6.2
Facter Version 3.4.1 (commit d0f32490f41ca12722c13e4c48d4572ae4f9bfdc)
puppetserver version: 2.6.0
Server Linux:
* Linux server-hostname 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt25-2+deb8u3 (2016-07-02) x86_64 GNU/Linux
* Debian GNU/Linux 8 (jessie)
* facter -p osfamily: Debian
Client Linux:
* Linux client-hostname 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u1 (2016-09-03) x86_64 GNU/Linux
* Devuan GNU/Linux 1 (jessie)
* facter -p osfamily: Linux
**Problem**: devuan shown as osfamily linux, instead of debian
**Trying to resolve with facter overwrite**
I wrote a Module with an customized fact in
user@client: $module/osfamily/lib/facter/osfamily.rb
Facter.add(:osfamily) do
has_weight 100
setcode 'debian'
end
but the debug (facter -p --debug) output exits with:
INFO puppetlabs.facter - loading custom facts from /opt/puppetlabs/puppet/cache/lib/facter/osfamily.rb.
DEBUG puppetlabs.facter - fact "osfamily" resolved to null and the existing value of "Linux" will be removed.
**Question** is there a way to tell puppet, that this new distribution is a member of the Debian os family?
↧
↧
external facts reference
Hello,
Excuse my naivety but I am having a large amount of trouble with external facts. I have seen that you need to create a folder called
/facts.d
to store external facts in. Inside my facts.d folder I have
/facts.d/install_location.sh
Now inside my install_location.sh I have the following:
#!/bin/bash
OUTPUT="$(/bin/rpm -qa --queryformat \'%{FILENAMES}\' pkg_jvmtop)"
echo "JVMTOP_HOME=${OUTPUT}"
I know you need to return things in a key/value pair like
key=value
Thus I am echoing
echo "JVMTOP_HOME=${OUTPUT}"
I am getting several errors when attempting
puppet apply /fact.d/install_location.sh
Can someone explain (in great detail) what I am doing wrong and how to reference JVMTOP_HOME in my manifests? I assume it is stupid, below are the errors I am getting:
Error: This Name has no effect. A value was produced and then forgotten (one or more preceding expressions may have the wrong form) at /etc/puppetlabs/code/environments/production/modules/jvmtop/facts.d/install_loc.sh:3:1
Error: Illegal attempt to assign to 'a Type-Name'. Not an assignable reference at /etc/puppetlabs/code/environments/production/modules/jvmtop/facts.d/install_loc.sh:2:1
Error: Found 2 errors. Giving up
↧
Best practice for puppet agent (minor) version updates?
Greetings - What is the prevailing opinion on a package update strategy for the puppet agent? This would be applying updates within the same code stream (e.g. 4.5.3 -> 4.6.2), not updating between major versions. Is it recommended to just update periodically to the latest version from the repo or to lock in at a specific version so that you can have a bit more control and keep in sync with the puppet server/master?
Also, (for RHEL, which we are using) the documentation only recommends updating using the repo package. That's fine, but I wonder if anyone is downloading the version-specific RPM for the puppet agent and updating from that file? It will technically work, but not sure if it's recommended. With RHEL and yum, you can update from repo and use the versionlock plugin which works fine too.
I'm just starting out and we have a small number of nodes but will be rolling out the agents to larger numbers of servers over time. I'd like to have a currency/update process that's easily supportable if possible. I'm interested in learning how teams with large enterprises under Puppet are handling this.
Thanks a bunch,
Victor
↧
Learning VM IP address is not getting assigned
after booting the learning VM,IP address is not showing.
facter ipaddress output is empty.
↧
ruby methods .map, .each, .gsub changes overview for puppet v3 & v4
Hey Guys
Can anyone give me a good overview of the changes between ruby in puppet v3 & v4.
In particular the methods named above.
I need to cvt our p3 (3.2.2) system to p4, whilst at the same time, ensure that our code will run against both versions of puppet until we have fully converted.
At the moment, I frequently come across msgs like
Detail: undefined method `gsub' for nil:NilClass
for the above methods, and have to recode them.
This is doubly tricky as I know nothing about ruby ;)
Any help gratefully received
Chris
↧
↧
Puppet Local Account Notify Issue
user { 'acc1':
ensure => present,
managehome => true,
password => 'Test123',
groups => ['Administrators'],
auth_membership => 'minimum',
notify => Exec['app config']
}
exec { 'app config':
path => 'c:\\program files (x86)\\app\\bin',
command => 'config.bat -f responsefile.rsp',
refreshonly => true
}
The user is getting created, but I need the local account to be used for the app configuration.
The above puppet script is executed by domain account(abc\myname), and the application requires a local account to be used for the configuration.
So I have created a local account through puppet and using notify to tell exec to use the account created by the puppet. But when it is executed, the application is throwing error: "**need a local account or administrator**"
In logs it is giving the **myname** is not a local account or administrator.
I see that **exec** is not using the local user **acc1** created by puppet.
Is there any other way where in I can direct the **exec** to user a particular local user account to use for configuration.
Please advise.
↧
puppetserver autosigned certificate differs puppetmaster autosigned cert
Hi all,
we tried to migrate form puppet master in apache and rack to java puppetserver, but encountered strange issue.
Existing puppet nodes are working correctly, but newly added nodes fails to connect to puppetserver with ssl error.
I managed to catch some time and create puppet sandbox in vagrant (one puppet master and 2 managed nodes.) and play a little bit with the issue.
Here are all steps I performed to create our own CA and run puppet mater and puppet server:
[root@puppet ~]# service puppetserver stop
[root@puppet ~]# find /var/lib/puppet/ssl -type f -delete
[root@puppet ~]# cd /var/lib/puppet/ssl/ca
[root@puppet ca]# mkdir puppet-ca
[root@puppet ca]# cd puppet-ca
[root@puppet puppet-ca]# keytool -genkeypair -v \
-alias 'Puppet CA - Sandbox' \
-dname "emailAddress=great.admin@company.com, C=De, ST=Bayern, L=Munich, O=Company GmbH, OU=AAA, CN=Puppet CA - Sandbox" \
-keystore puppet-ca.jks \
-keypass funnyPass \
-storepass funnyPass \
-keyalg RSA \
-keysize 4096 \
-ext KeyUsage="keyCertSign,cRLSign" \
-ext BasicConstraints:"critical=ca:true" \
-validity 3650
Generating 4,096 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 3,650 days
for: EMAILADDRESS=great.admin@company.com, C=De, ST=Bayern, L=Munich, O=Company GmbH, OU=AAA, CN=Puppet CA - Sandbox
[Storing puppet-ca.jks]
[root@puppet puppet-ca]# keytool -importkeystore -srckeystore puppet-ca.jks -destkeystore puppet-ca.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass funnyPass -deststorepass funnyPass -srcalias 'Puppet CA - Sandbox' -destalias 'Puppet CA - Sandbox' -srckeypass funnyPass -destkeypass funnyPass -noprompt
[root@puppet puppet-ca]# openssl pkcs12 -in puppet-ca.p12 -noout -nokeys -out ca_crt.pem
Enter Import Password:
MAC verified OK
[root@puppet puppet-ca]# openssl pkcs12 -in puppet-ca.p12 -noout -nodes -nocerts -out ca_key.pem
Enter Import Password:
MAC verified OK
[root@puppet puppet-ca]# openssl rsa -in ca_key.pem -pubout > ca_pub.pem
writing RSA key
[root@puppet puppet-ca]# cp /etc/pki/tls/openssl.cnf .
[root@puppet puppet-ca]# vim openssl.cnf # Comment out crlnumber and set database = index.txt
[root@puppet puppet-ca]# touch index.txt
[root@puppet puppet-ca]# openssl ca -gencrl -config openssl.cnf -keyfile ca_key.pem -cert ca_crt.pem -out ca_crl.pem
Using configuration from openssl.cnf
[root@puppet puppet-ca]# ls -l
total 40
-rw-r--r-- 1 root root 1052 Sep 23 13:40 ca_crl.pem
-rw-r--r-- 1 root root 2475 Sep 23 13:34 ca_crt.pem
-rw-r--r-- 1 root root 3424 Sep 23 13:33 ca_key.pem
-rw-r--r-- 1 root root 800 Sep 23 13:34 ca_pub.pem
-rw-r--r-- 1 root root 0 Sep 23 13:39 index.txt
-rw-r--r-- 1 root root 10902 Sep 23 13:40 openssl.cnf
-rw-r--r-- 1 root root 4048 Sep 23 13:26 puppet-ca.jks
-rw-r--r-- 1 root root 4422 Sep 23 13:27 puppet-ca.p12
[root@puppet puppet-ca]# cp ca_*.pem ../
[root@puppet puppet-ca]# cd ..
[root@puppet ca]# touch inventory.txt
[root@puppet ca]# echo 256558 > serial.txt
[root@puppet ca]# cp ca_crt.pem ../certs/ca.pem
[root@puppet ca]# cd ..
[root@puppet ssl]# mv ca/puppet-ca /tmp/
[root@puppet ssl]# find . -type f
./ca/inventory.txt
./ca/ca_crl.pem
./ca/ca_pub.pem
./ca/ca_crt.pem
./ca/serial.txt
./ca/ca_key.pem
./certs/ca.pem
[root@puppet ssl]# chown -R puppet. .
[root@puppet ssl]# puppet master --no-daemonize
Notice: puppet.admintbo.lan has a waiting certificate request
Notice: Signed certificate request for puppet.admintbo.lan
Notice: Removing file Puppet::SSL::CertificateRequest puppet.admintbo.lan at '/var/lib/puppet/ssl/ca/requests/puppet.admintbo.lan.pem'
Notice: Removing file Puppet::SSL::CertificateRequest puppet.admintbo.lan at '/var/lib/puppet/ssl/certificate_requests/puppet.admintbo.lan.pem'
Notice: Starting Puppet master version 3.7.5
Notice: client1.admintbo.lan has a waiting certificate request
Notice: Signed certificate request for client1.admintbo.lan
Notice: Removing file Puppet::SSL::CertificateRequest client1.admintbo.lan at '/var/lib/puppet/ssl/ca/requests/client1.admintbo.lan.pem'
Notice: Compiled catalog for client1.admintbo.lan in environment wdvagrant in 2.21 seconds
############ On client1
[vagrant@client1 ~]$ sudo rm -rf /var/lib/puppet/ssl
[vagrant@client1 ~]$ sudo puppet agent -t -w10
Info: Creating a new SSL key for client1.admintbo.lan
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for client1.admintbo.lan
Info: Certificate Request fingerprint (SHA256): BF:20:52:D1:0D:36:6E:39:48:EB:4C:5C:03:CC:01:0A:5B:A3:F6:BF:D9:ED:D3:47:07:4E:6D:5D:81:63:86:EF
Info: Caching certificate for client1.admintbo.lan
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for ca
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for client1.admintbo.lan
Info: Applying configuration version '1474631649'
Notice: Ping client1.admintbo.lan is randomized to 1800
Notice: /Stage[main]/Main/Node[client1.admintbo.lan]/Notify[Ping client1.admintbo.lan is randomized to 1800]/message: defined 'message' as 'Ping client1.admintbo.lan is randomized to 1800'
Notice: Finished catalog run in 5.05 seconds
[vagrant@client1 ~]$ sudo openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/ca.pem | grep -i -E 'issuer|subject'
Issuer: CN=Puppet CA - Sandbox, OU=AAA, O=Company GmbH, L=Munich, ST=Bayern, C=De/emailAddress=great.admin@company.com
Subject: CN=Puppet CA - Sandbox, OU=AAA, O=Company GmbH, L=Munich, ST=Bayern, C=De/emailAddress=great.admin@company.com
[vagrant@client1 ~]$ sudo openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/client1.admintbo.lan.pem | grep -i -E 'issuer|subject'
Issuer: CN=Puppet CA - Sandbox, OU=AAA, O=Company GmbH, L=Munich, ST=Bayern, C=De/emailAddress=great.admin@company.com
Subject: CN=client1.admintbo.lan
################### Small clean-up before running puppet-server
############ On client1
[vagrant@client1 ~]$ sudo rm -rf /var/lib/puppet/ssl
############ On puppet master
[root@puppet ~]# puppet cert clean client1.admintbo.lan
Notice: Revoked certificate with serial 2
Notice: Removing file Puppet::SSL::Certificate client1.admintbo.lan at '/var/lib/puppet/ssl/ca/signed/client1.admintbo.lan.pem'
Notice: Removing file Puppet::SSL::Certificate client1.admintbo.lan at '/var/lib/puppet/ssl/certs/client1.admintbo.lan.pem'
#################### Starting puppet server
[root@puppet ~]# service puppetserver start
Starting puppetserver: [ OK ]
############ On client1
[vagrant@client1 ~]$ sudo puppet agent -t -w10
Info: Creating a new SSL key for client1.admintbo.lan
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for client1.admintbo.lan
Info: Certificate Request fingerprint (SHA256): 46:2A:B7:83:06:08:F5:26:D3:AB:C4:E0:0F:2F:E4:7F:00:21:48:FB:8D:F6:C6:8F:11:D4:99:2F:29:16:DE:85
Info: Caching certificate for client1.admintbo.lan
Error: Could not request certificate: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A
Info: Retrieving pluginfacts
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://puppet.admintbo.lan/pluginfacts: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://puppet.admintbo.lan/plugins: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A
Info: Loading facts
Error: Could not retrieve catalog from remote server: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A
[vagrant@client1 ~]$ sudo openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/ca.pem | grep -i -E 'issuer|subject'
Issuer: CN=Puppet CA - Sandbox, OU=AAA, O=Company GmbH, L=Munich, ST=Bayern, C=De/emailAddress=great.admin@company.com
Subject: CN=Puppet CA - Sandbox, OU=AAA, O=Company GmbH, L=Munich, ST=Bayern, C=De/emailAddress=great.admin@company.com
[vagrant@client1 ~]$ sudo openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/client1.admintbo.lan.pem | grep -i -E 'issuer|subject'
Issuer: emailAddress=great.admin@company.com, C=De, ST=Bayern, L=Munich, O=Company GmbH, OU=AAA, CN=Puppet CA - Sandbox
Subject: CN=client1.admintbo.lan
############ On puppet master
[root@puppet ~]# puppet cert list --all
+ "puppet.admintbo.lan" (SHA256) 26:7C:B9:67:CC:F4:9C:BB:83:5C:D0:4A:7D:89:7B:60:70:03:E6:BC:77:4A:AC:9F:85:76:70:D0:84:53:39:C3 (alt names: "DNS:puppet", "DNS:puppet.admintbo.lan")
- "client1.admintbo.lan" (SHA256) 78:B6:73:C3:0E:A8:2A:4E:F8:5E:B7:40:D3:F1:4F:C4:3F:18:FB:4F:D9:40:9A:70:12:B0:36:F6:40:60:69:DE (unable to get local issuer certificate)
As far as I can see the issue is here:
Certificate autosigned by puppet master:
[vagrant@client1 ~]$ sudo openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/ca.pem | grep -i -E 'issuer|subject'
Issuer: CN=Puppet CA - Sandbox, OU=AAA, O=Company GmbH, L=Munich, ST=Bayern, C=De/emailAddress=great.admin@company.com
Subject: CN=Puppet CA - Sandbox, OU=AAA, O=Company GmbH, L=Munich, ST=Bayern, C=De/emailAddress=great.admin@company.com
[vagrant@client1 ~]$ sudo openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/client1.admintbo.lan.pem | grep -i -E 'issuer|subject'
Issuer: CN=Puppet CA - Sandbox, OU=AAA, O=Company GmbH, L=Munich, ST=Bayern, C=De/emailAddress=great.admin@company.com
Subject: CN=client1.admintbo.lan
Certificate autosigned by puppet server:
[vagrant@client1 ~]$ sudo openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/ca.pem | grep -i -E 'issuer|subject'
Issuer: CN=Puppet CA - Sandbox, OU=AAA, O=Company GmbH, L=Munich, ST=Bayern, C=De/emailAddress=great.admin@company.com
Subject: CN=Puppet CA - Sandbox, OU=AAA, O=Company GmbH, L=Munich, ST=Bayern, C=De/emailAddress=great.admin@company.com
[vagrant@client1 ~]$ sudo openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/client1.admintbo.lan.pem | grep -i -E 'issuer|subject'
Issuer: emailAddress=great.admin@company.com, C=De, ST=Bayern, L=Munich, O=Company GmbH, OU=AAA, CN=Puppet CA - Sandbox
Subject: CN=client1.admintbo.lan
Order of RDN in Issuer field is reversed when cert is signed with puppet server.
puppetserver is in version 1.0.8, puppetmaster is in version 3.7.5, java version 1.7.0_111.
If you have suggestions what to try, pls let me now.
Recreating the ca is not solution for us since we already have more than two thousand servers with certificates signed by the same ca.
Reason to migrate to puppetserver is too many crashes of puppetmaster do to too high memory consumption. Tried to limit number of rack processes, limit memory usage by process in passenger, nothing helped. :( And now we have this issue with puppetserver which otherwise works like a charm.
BR,
T
↧
How should I tune Passenger to run Puppet?
The [default Passenger/vhost config](https://github.com/puppetlabs/puppet/blob/master/ext/rack/example-passenger-vhost.conf) example provided by Puppet doesn't work with Passenger 4 unless modified. Additionally there isn't an explanation of tuning for dedicated Puppet masters. The docs for [setting up a master using Passenger](https://docs.puppetlabs.com/guides/passenger.html) does not cover it either. Is there an example of a config and performance settings for dedicated Puppet master servers?
↧
Errors when adding CA cert to inventory.txt
We use Puppet extensively at Logicworks, and we've run into an issue in the automated build process for our Puppet masters, and I've isolated it to an issue with OpenSSL serials failing to be converted to integers.
We use the official Puppet modules to install our Puppetmasters using `puppet apply` via the AWS EC2 UserData script. We've deployed hundreds of PMs this way, but have recently started having an issue when boostrapping the PM.
Because puppet apply is also responsible for setting the hostname, and because the $hostname fact doesn't get updated until the next Puppet run, we generate our master cert first before installing the necessary configuration files via the "puppet-puppet" module.
exec { "puppetmaster-cert":
command => "/usr/bin/puppet cert --generate --dns_alt_names ${dns_alt_names} ${aws::bootstrap::instance_fqdn}",
creates => "/var/lib/puppet/ssl/certs/${aws::bootstrap::instance_fqdn}.pem"
}
class { '::puppet':
server => true,
puppetmaster => $aws::bootstrap::puppetmaster_hostname,
agent_template => "aws/bootstrap/puppet.erb.conf",
server_certname => $aws::bootstrap::instance_fqdn,
server_foreman_url => "https://${aws::bootstrap::instance_fqdn}",
server_foreman_ssl_cert => "/var/lib/puppet/ssl/certs/${aws::bootstrap::instance_fqdn}.pem",
server_foreman_ssl_key => "/var/lib/puppet/ssl/private_keys/${aws::bootstrap::instance_fqdn}.pem",
require => Exec['puppetmaster-cert']
}
However, for some reason Exec["puppetmaster-cert"] is failing with an exit code 23 (and no error at all). After much research, we found that the error is being raised here in **puppet/ssl/inventory.rb**, line 12:
# Add a certificate to our inventory.
def add(cert)
cert = cert.content if cert.is_a?(Puppet::SSL::Certificate)
Puppet.settings.setting(:cert_inventory).open("a") do |f|
f.print format(cert) # <========================= Line 12
end
end
# Format our certificate for output.
def format(cert)
iso = '%Y-%m-%dT%H:%M:%S%Z'
# Exception is raised here ---v
"0x%04x %s %s %s\n" % [cert.serial, cert.not_before.strftime(iso), cert.not_after.strftime(iso), cert.subject]
end
When the ca cert gets added to inventory.txt, cert.serial is interpolated in the string as integer, and we get this error/traceback:
/usr/lib/ruby/vendor_ruby/puppet/ssl/inventory.rb:25:in `to_i'
/usr/lib/ruby/vendor_ruby/puppet/ssl/inventory.rb:25:in `%'
/usr/lib/ruby/vendor_ruby/puppet/ssl/inventory.rb:25:in `format'
/usr/lib/ruby/vendor_ruby/puppet/ssl/inventory.rb:13:in `block in add'
/usr/lib/ruby/vendor_ruby/puppet/file_system/file_impl.rb:26:in `open'
/usr/lib/ruby/vendor_ruby/puppet/file_system/file_impl.rb:26:in `open'
/usr/lib/ruby/vendor_ruby/puppet/file_system.rb:40:in `open'
/usr/lib/ruby/vendor_ruby/puppet/settings/file_setting.rb:197:in `block in open'
/usr/lib/ruby/vendor_ruby/puppet/settings/file_setting.rb:231:in `block (2 levels) in controlled_access'
/usr/lib/ruby/vendor_ruby/puppet/util.rb:57:in `withumask'
/usr/lib/ruby/vendor_ruby/puppet/settings/file_setting.rb:221:in `block in controlled_access'
/usr/lib/ruby/vendor_ruby/puppet/util/suidmanager.rb:72:in `asuser'
/usr/lib/ruby/vendor_ruby/puppet/settings/file_setting.rb:219:in `controlled_access'
/usr/lib/ruby/vendor_ruby/puppet/settings/file_setting.rb:196:in `open'
/usr/lib/ruby/vendor_ruby/puppet/ssl/inventory.rb:12:in `add'
/usr/lib/ruby/vendor_ruby/puppet/ssl/certificate_authority.rb:311:in `sign'
/usr/lib/ruby/vendor_ruby/puppet/ssl/certificate_authority.rb:148:in `generate_ca_certificate'
/usr/lib/ruby/vendor_ruby/puppet/ssl/certificate_authority.rb:270:in `setup'
/usr/lib/ruby/vendor_ruby/puppet/ssl/certificate_authority.rb:161:in `initialize'
/usr/lib/ruby/vendor_ruby/puppet/application/cert.rb:248:in `new'
/usr/lib/ruby/vendor_ruby/puppet/application/cert.rb:248:in `setup'
/usr/lib/ruby/vendor_ruby/puppet/application.rb:378:in `block (2 levels) in run'
/usr/lib/ruby/vendor_ruby/puppet/application.rb:507:in `plugin_hook'
/usr/lib/ruby/vendor_ruby/puppet/application.rb:378:in `block in run'
/usr/lib/ruby/vendor_ruby/puppet/util.rb:496:in `exit_on_fail'
/usr/lib/ruby/vendor_ruby/puppet/application.rb:378:in `run'
/usr/lib/ruby/vendor_ruby/puppet/util/command_line.rb:146:in `run'
/usr/lib/ruby/vendor_ruby/puppet/util/command_line.rb:92:in `execute'
/usr/bin/puppet:8:in `'
If I go in with Pry, I can see the following details:
[4] pry(#)> cert.serial.to_i
OpenSSL::BNError:
from (pry):2:in `to_i'
I'm really at a loss as to what to do next. Nothing has changed in our process in weeks, and we verified all the relevant version info.
* Puppet Community Edition 3.8.7
* Foreman 1.8
* Ruby 1.9.3p484 (2013-11-22 revision 43786) [x86_64-linux]
* OpenSSL 1.0.1f 6 Jan 2014
* Ubuntu 14.04
Has anyone ever encountered anything like this?
↧
↧
Puppet Local Account Creation and Exec Resource
user { 'acc1':
ensure => present,
managehome => true,
password => 'Test123',
groups => ['Administrators'],
auth_membership => 'minimum',
notify => Exec['app config']
}
exec { 'app config':
path => 'c:\\program files (x86)\\app\\bin',
command => 'config.bat -f responsefile.rsp',
refreshonly => true
}
The user is getting created, but I need the local account to be used for the app configuration.
The above puppet script is executed by domain account(abc\myname), and the application requires a local account to be used for the configuration.
So I have created a local account through puppet and using notify to tell exec to use the account created by the puppet. But when it is executed, the application is throwing error: "need a local account or administrator"
In logs it is giving the myname is not a local account or administrator.
I see that exec is not using the local user acc1 created by puppet.
Is there any other way where in I can direct the exec to user a particular local user account to use for configuration.
Please advise.
↧
Can I have multiple CA certificates in a Puppet master?
Hi,
In a few months, my CA certificate (created almost 5 years ago) will expire. I was looking the instructions on how to recreate the certs (https://docs.puppet.com/puppet/3.8/reference/ssl_regenerate_certificates.html).
Everything works fine, except one detail: I need to be able to support Puppet clients using the old certificates (with the old self-signed CA) for some time (about two weeks).
So, is there a way to have both CA certs (new and old) in the Puppet master, to accomplish this?
Thanks in advance!
Andres
↧
Syntax error at '}'; expected '}'
So the error message
Syntax error at '}'; expected '}'
is not helping me find my problem.
I'm trying to do something tricky, where I have this (shortened and anonymized) and the `$cron` variable set to `mon:12:0,wed:9:30`
class symantec
(
$version,
$style = "unmanaged",
$cron = '',
)
{
define createCronJob {
$lines = split ($name,',')
$lines[0] = split ($lines[0],':')
$lines[1] = split ($lines[1],':')
file { 'symantec.cron' :
ensure => file,
path => "/etc/cron.d/symantec.liveupdate.cron",
content =>
"#
# this file is managed by puppet.
#
${lines[0][2]} ${lines[0][1]} * * ${lines[0][0]} root /usr/local/bin/system_patch.pl
${lines[1][2]} ${lines[1][1]} * * ${lines[1][0]} root /usr/local/bin/system_patch.pl
"
}
}
if $style == "unmanaged"
{
createCronJob { [ $cron ] } /* <= <= <= line with the error */
}
}
It's supposed to create a file that looks like this:
#
# this file is managed by puppet.
#
0 12 * * mon root /usr/local/bin/system_patch.pl
30 9 * * wed root /usr/local/bin/system_patch.pl
I can take out the offending line and the catalog compiles and runs fine. I tested it separately with `puppet apply` and it was working and created the file. But I must be doing something different and I don't know what.
So I guess I have two questions.
Why does the error message seem to make no sense?
How can I properly call my defined function to create the file?
↧