Hi,
I''m sorry if that''s a FAQ, I also know exported resources are
a still
experimental. So my problem might well be a design limitation of how
exported resources are working.
My issue: I''m trying to export a file resource that is created by an
exec block. The file is exported fine and collected fine but it is
always empty on the other host.
The puppet snippet:
class djbdns {
define master($ip) {
root="/var/lib/service/${name}"
...
# export public keys
@@file {
"/var/lib/puppet/modules/djbdns/masters.d/${ipaddress}-${name}.pub":
ensure => file,
alias => "master-key-${name}",
require => Exec["create-master-key-${name}"]
}
file {
"/var/lib/puppet/modules/djbdns/masters.d/${ipaddress}-${name}":
ensure => file,
alias => "master-pkey-${name}",
require => Exec["create-master-key-${name}"]
}
# create the public/private key pair
exec {
"create-master-key-${name}":
command => "ssh-keygen -f
/var/lib/puppet/modules/djbdns/masters.d/${ipaddress}-${name} -q -N
''''",
creates =>
["/var/lib/puppet/modules/djbdns/masters.d/${ipaddress}-${name}",
"/var/lib/puppet/modules/djbdns/masters.d/${ipaddress}-${name}.pub"],
require => File["${root}"]
}
}
define slave($ip) {
$root = "/var/lib/service/${name}"
...
exec {
"create-master-key-${name}":
command => "/bin/true",
refreshonly => true,
}
exec {
"add-keys":
command => "/usr/local/bin/add-keys
/var/lib/puppet/modules/djbdns/masters.d/ ${name} ${root}",
subscribe =>
File["/var/lib/puppet/modules/djbdns/masters.d"],
refreshonly => true
}
}
# collect pub key files
File <<||>>
}
Basically, this manifest creates a ssh key pair on master hosts, exports them.
On slaves I use the collected public key to build an authorized_keys (with the
exec "add-keys").
Unfortunately the files in /var/lib/puppet/modules/djbdns/masters.d/ are
always empty on the slaves.
Any ideas on how I could solve this issue ?
--
Brice Figureau <brice+puppet@daysofwonder.com>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 13 November 2007, Brice Figureau wrote:> Hi, > > I''m sorry if that''s a FAQ, I also know exported resources are a still > experimental. So my problem might well be a design limitation of how > exported resources are working. > > My issue: I''m trying to export a file resource that is created by an > exec block. The file is exported fine and collected fine but it is > always empty on the other host. > > The puppet snippet: > > class djbdns { > define master($ip) { > root="/var/lib/service/${name}" > ... > # export public keys > @@file { > > "/var/lib/puppet/modules/djbdns/masters.d/${ipaddress}-${name}.pub": > ensure => file, > alias => "master-key-${name}", > require => Exec["create-master-key-${name}"] > }> Basically, this manifest creates a ssh key pair on master hosts, exports > them. On slaves I use the collected public key to build an authorized_keys > (with the exec "add-keys"). > > Unfortunately the files in /var/lib/puppet/modules/djbdns/masters.d/ are > always empty on the slaves. > > Any ideas on how I could solve this issue ?Exported resources work exactly the same as normal resources, _except_ that they are not distributed to the client _but_ stored in the database to be collected via <<||>>. So the information flow is still always from the puppetmaster to the puppets and not the other way around. A common solution is to create key material via a function or external script on the master and then distribute this via plain file{}. Regards, David - -- The primary freedom of open source is not the freedom from cost, but the free- dom to shape software to do what you want. This freedom is /never/ exercised without cost, but is available /at all/ only by accepting the very different costs associated with open source, costs not in money, but in time and effort. - -- http://www.schierer.org/~luke/log/20070710-1129/on-forks-and-forking -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHOY0a/Pp1N6Uzh0URAjNMAJ9YCrK3NCgpxN59QAGkRIhdIjhKtgCfSjsH LItqy29v9GsBBr4G4QmNDYU=ARvy -----END PGP SIGNATURE-----
Hi David, On Tue, 2007-11-13 at 12:40 +0100, David Schmitt wrote:> On Tuesday 13 November 2007, Brice Figureau wrote: > > I''m sorry if that''s a FAQ, I also know exported resources are a still > > experimental. So my problem might well be a design limitation of how > > exported resources are working. > > > > My issue: I''m trying to export a file resource that is created by an > > exec block. The file is exported fine and collected fine but it is > > always empty on the other host. > >[snipped] > > Unfortunately the files in /var/lib/puppet/modules/djbdns/masters.d/ are > > always empty on the slaves. > > > > Any ideas on how I could solve this issue ? > > Exported resources work exactly the same as normal resources, _except_ that > they are not distributed to the client _but_ stored in the database to be > collected via <<||>>. So the information flow is still always from the > puppetmaster to the puppets and not the other way around.Oh, that''s infortunate... but I feared something like that... It would have been great if the system would have used something like the file {} backup mechanism.> A common solution is to create key material via a function or external script > on the master and then distribute this via plain file{}.You mean that the creation could be done automatically on the puppetmaster, or you mean an out-of-band manual mechanism and then a regular file{} ? My other alternative is to don''t care, since after all, we''re not often creating ssh keypairs, I could survive by just creating them whenever I have to create a new tinydns master... Thanks for the answer, -- Brice Figureau <brice+puppet@daysofwonder.com>
> Oh, that''s infortunate... but I feared something like that... > It would have been great if the system would have used something like > the file {} backup mechanism.That, or I''d settle for the ability to do something like: exec { command => "cat ${my_file}", output => "${root}/${fqdn}/${my_file}", capture_flags => "rw", } From a ruby perspective, that''s cake to write: $out = `cat ${my_file}` and then post $out back to the server. Or some such simple non- interactive approach. I''m contemplating creating a puppet output directory ($puppet_output = ''/var/puppet/output''; exec { "${alias}": command => "echo output > $ {puppet_output}/${alias}"} ) and having a different job come through and scp the job output in $puppet_output back to the puppetmaster. Doable, but I''m less than wild about having to schedule phone home bits via client activity. For now, however, I''m pretending the bidirectional flow of (output|files) is not something I''d like to do. *desperately wants to kill nightly status emails* :) -sc -- Sean Chittenden sean@chittenden.org
On Tue, Nov 13, 2007 at 10:51:40AM +0100, Brice Figureau wrote:> I''m sorry if that''s a FAQ, I also know exported resources are a still > experimental. So my problem might well be a design limitation of how > exported resources are working. > > My issue: I''m trying to export a file resource that is created by an > exec block. The file is exported fine and collected fine but it is > always empty on the other host. > > Basically, this manifest creates a ssh key pair on master hosts, exports them. > On slaves I use the collected public key to build an authorized_keys (with the exec "add-keys"). > > The puppet snippet: > > class djbdns { > define master($ip) { > root="/var/lib/service/${name}" > ... > # export public keys > @@file { > > "/var/lib/puppet/modules/djbdns/masters.d/${ipaddress}-${name}.pub": > ensure => file, > alias => "master-key-${name}", > require => Exec["create-master-key-${name}"] > }I''m not seeing how that''s actually going to export anything other than "make sure this file exists" -- you''re not defining it''s contents or it''s source anywhere, so it''s no wonder that it''s ending up empty elsewhere! Unfortunately, even adding a ''content'' parameter isn''t going to get you anywhere, because that''s evaluated on the Puppetmaster, whereas you need it to go to the client, get some info, then wander back to the Puppetmaster, which isn''t possible. What *would* work is a function to get the contents of a public key file, and create the key pair if it doesn''t already exist. The usage would be something like: define master($ip) { file { ".../${ipaddress}-${name}.pub": content => public_key("${ipaddress}-${name}"), ... } } define slave($ip) { file { ".../${ipaddress}-${name}": content => private_key("${ipaddress}-${name}", ... } } See wiki:WritingYourOwnFunctions for info on doing that part. If you wanted to get extra tricky, an adaptation of the authorized_key type could be used to do all of the heavy lifting of actually adding keys, so all of those tricky execs and shell scripts just magically disappear. - Matt -- It fsck''s the volume or it gets the format again. -- Don Quixote, in the Monastery
On Nov 13, 2007, at 10:52 AM, Sean Chittenden wrote:>> Oh, that''s infortunate... but I feared something like that... >> It would have been great if the system would have used something like >> the file {} backup mechanism. > > That, or I''d settle for the ability to do something like: > > exec { > command => "cat ${my_file}", > output => "${root}/${fqdn}/${my_file}", > capture_flags => "rw", > } > > From a ruby perspective, that''s cake to write: > > $out = `cat ${my_file}` > > and then post $out back to the server. Or some such simple non- > interactive approach. > > I''m contemplating creating a puppet output directory ($puppet_output > ''/var/puppet/output''; exec { "${alias}": command => "echo output > $ > {puppet_output}/${alias}"} ) and having a different job come through > and scp the job output in $puppet_output back to the puppetmaster. > Doable, but I''m less than wild about having to schedule phone home > bits via client activity. For now, however, I''m pretending the > bidirectional flow of (output|files) is not something I''d like to do. > *desperately wants to kill nightly status emails* :) -scI think I''m confused. What are you actually trying to accomplish here? -- There are no such things as applied sciences, only applications of science. -- Louis Pasteur --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
>> exec { >> command => "cat ${my_file}", >> output => "${root}/${fqdn}/${my_file}", >> capture_flags => "rw", >> } >> >> From a ruby perspective, that''s cake to write: >> >> $out = `cat ${my_file}` >> >> and then post $out back to the server. Or some such simple non- >> interactive approach. >> >> I''m contemplating creating a puppet output directory >> ($puppet_output >> ''/var/puppet/output''; exec { "${alias}": command => "echo output > $ >> {puppet_output}/${alias}"} ) and having a different job come through >> and scp the job output in $puppet_output back to the puppetmaster. >> Doable, but I''m less than wild about having to schedule phone home >> bits via client activity. For now, however, I''m pretending the >> bidirectional flow of (output|files) is not something I''d like to do. >> *desperately wants to kill nightly status emails* :) -sc > > I think I''m confused. What are you actually trying to accomplish > here?One of two things: 1) A way of having puppetmasterd capturing the output from exec commands run on clients, ideally as an rvalue 2) A way of having puppetd send various files back to puppetmasterd, kinda like filebucket, but with puppetmaster able to specify where. -sc -- Sean Chittenden sean@chittenden.org
On Nov 13, 2007, at 3:30 PM, Sean Chittenden wrote:> One of two things: > > 1) A way of having puppetmasterd capturing the output from exec > commands run on clients, ideally as an rvalueAs Matt has pointed out, this can not happen without using custom facts, and that''s not going to change.> 2) A way of having puppetd send various files back to puppetmasterd, > kinda like filebucket, but with puppetmaster able to specify where.I think this is a different enough problem that its solution is unlikely to make it into Puppet. I can see wanting to reuse Puppet''s ability for that, but you should consider just reusing Puppet''s certificates around stunnel or something similar -- you''ll have similarly simple setups, but you won''t have to shoehorn functionality into Puppe that doesn''t make sense for it. -- I have lost friends, some by death... others through sheer inability to cross the street. -- Virginia Woolf --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com