Puppet users - Jun 2008 - executing from the command line

So I am trying to get a simple manifest to run from the command line:

     package {"cntlm":
                ensure => installed,
                provider => rpm,
                source => "http://binford.etrade.com/CentOS5-RPMS/
cntlm-0.35.1-1.i386.rpm",
        }
        file {"/etc/cntlm.conf":
                ensure => present,
                owner => root,
                mode => 644,
                content => template("/opt/etrade/p6/puppet/modules/
cntlm/templates/cntlm.conf.erb"),
        }

[jleggett@lxp6d4m3 templates]$ cat cntlm.conf.erb
Username        <%= id %>
Domain          CORP
PassNTLMv2      XXXXXX
Proxy           http://<%= proxy %>:8080
Listen          3128
Auth            NTLMv2

[jleggett@lxp6d4m3 templates]$
[jleggett@lxp6d4m3 manifests]$ puppet cntlm.pp
(erb):1: warning: Object#id will be deprecated; use Object#object_id
err: //File[/etc/cntlm.conf]/ensure: change from absent to present
failed: Could not set present on ensure: Permission denied - /etc/
cntlm.conf.puppettmp at /opt/etrade/p6/puppet/modules/cntlm/manifests/
cntlm.pp:12
err: //Package[cntlm]/ensure: change from absent to present failed:
Execution of ''/bin/rpm -i --oldpackage
http://binford.etrade.com/CentOS5-RPMS/cntlm-0.35.1-1.i386.rpm''
returned 256: error: can''t create transaction lock on /var/lib/rpm/
__db.000

[jleggett@lxp6d4m3 manifests]$ sudo puppet cntlm.pp
(erb):1: warning: Object#id will be deprecated; use Object#object_id
Failed to parse template /opt/etrade/p6/puppet/modules/cntlm/templates/
cntlm.conf.erb: Could not find value for ''proxy'' at
/opt/etrade/p6/
puppet/modules/cntlm/manifests/cntlm.pp:11 on node lxp6d4m3
[jleggett@lxp6d4m3 manifests]$ facter proxy
10.50.79.250
[jleggett@lxp6d4m3 manifests]$ facter id
jleggett
[jleggett@lxp6d4m3 manifests]$

What am I doing wrong?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On 6/11/2008 2:51 PM, Jeff Leggett wrote:
> (erb):1: warning: Object#id will be deprecated; use Object#object_id
> err: //File[/etc/cntlm.conf]/ensure: change from absent to present
> failed: Could not set present on ensure: Permission denied - /etc/
> cntlm.conf.puppettmp at /opt/etrade/p6/puppet/modules/cntlm/manifests/
> cntlm.pp:12
> err: //Package[cntlm]/ensure: change from absent to present failed:
> Execution of ''/bin/rpm -i --oldpackage
http://binford.etrade.com/CentOS5-RPMS/cntlm-0.35.1-1.i386.rpm''
> returned 256: error: can''t create transaction lock on
/var/lib/rpm/
> __db.000
I''d expect these don''t work if jleggett doesn''t have
write access to
/etc to make that puppettmp file, and if jleggett can''t install an rpm 
as a regular user. I don''t know if anyone runs puppet as a non-root
user
normally, but I don''t know everyone''s situation.
> [jleggett@lxp6d4m3 manifests]$ sudo puppet cntlm.pp
> (erb):1: warning: Object#id will be deprecated; use Object#object_id
> Failed to parse template /opt/etrade/p6/puppet/modules/cntlm/templates/
> cntlm.conf.erb: Could not find value for ''proxy'' at
/opt/etrade/p6/
> puppet/modules/cntlm/manifests/cntlm.pp:11 on node lxp6d4m3
Does ''sudo facter proxy'' return something sensible? I saw it
work for
jleggett, but is there something in a user-specific Ruby path or a 
FACTER_proxy environment variable that lets the non-root facter find 
this proxy variable?

-- 
Mike Renfro  / R&D Engineer, Center for Manufacturing Research,
931 372-3601 / Tennessee Technological University

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Yeah - that''s the problem...

I need to be my user when the template is evaluated:

[jleggett@lxp6d4m3 templates]$ cat cntlm.conf.erb
Username        <%= id %>
Domain          CORP
PassNTLMv2      XXXXXX
Proxy           http://<%= proxy %>:8080
Listen          3128
Auth            NTLMv2

So that username is jleggett...

BUT, if I do that... then user jleggett doesn''t have permission to
create the temp file in /etc  :(  Now what''s ODD is, if I run it as
root, I would expect it to add Username as root, but it doesn''t it
adds as:

[jleggett@lxp6d4m3 manifests]$ sudo puppet --confdir=/opt/etrade/p6/
puppet/ cntlm.pp
(erb):1: warning: Object#id will be deprecated; use Object#object_id
notice: //File[/etc/cntlm.conf]/content: changed file contents from
{md5}d68da246d4ffba07d9c01acfa427d1cc to
{md5}2871d52d620730b4fb508f3268ba9e56
[jleggett@lxp6d4m3 manifests]$ cat /etc/cntlm.conf
Username        -605483388
Domain          CORP
PassNTLMv2      XXXXXX
Proxy           10.50.79.250:8080
Listen          3128
Auth            NTLMv2

[jleggett@lxp6d4m3 manifests]$ sudo facter id
root
[jleggett@lxp6d4m3 manifests]$

On Jun 11, 4:32 pm, Mike Renfro <ren...@tntech.edu>
wrote:
> On 6/11/2008 2:51 PM, Jeff Leggett wrote:
>
> > (erb):1: warning: Object#id will be deprecated; use Object#object_id
> > err: //File[/etc/cntlm.conf]/ensure: change from absent to present
> > failed: Could not set present on ensure: Permission denied - /etc/
> > cntlm.conf.puppettmp at /opt/etrade/p6/puppet/modules/cntlm/manifests/
> > cntlm.pp:12
> > err: //Package[cntlm]/ensure: change from absent to present failed:
> > Execution of ''/bin/rpm -i
--oldpackagehttp://binford.etrade.com/CentOS5-RPMS/cntlm-0.35.1-1.i386.rpm''
> > returned 256: error: can''t create transaction lock on
/var/lib/rpm/
> > __db.000
>
> I''d expect these don''t work if jleggett doesn''t
have write access to
> /etc to make that puppettmp file, and if jleggett can''t install an
rpm
> as a regular user. I don''t know if anyone runs puppet as a
non-root user
> normally, but I don''t know everyone''s situation.
>
> > [jleggett@lxp6d4m3 manifests]$ sudo puppet cntlm.pp
> > (erb):1: warning: Object#id will be deprecated; use Object#object_id
> > Failed to parse template
/opt/etrade/p6/puppet/modules/cntlm/templates/
> > cntlm.conf.erb: Could not find value for ''proxy'' at
/opt/etrade/p6/
> > puppet/modules/cntlm/manifests/cntlm.pp:11 on node lxp6d4m3
>
> Does ''sudo facter proxy'' return something sensible? I saw
it work for
> jleggett, but is there something in a user-specific Ruby path or a
> FACTER_proxy environment variable that lets the non-root facter find
> this proxy variable?
>
> --
> Mike Renfro  / R&D Engineer, Center for Manufacturing Research,
> 931 372-3601 / Tennessee Technological University
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Jeff Leggett wrote:
> I need to be my user when the template is evaluated:
Is there another reason for this beyond the "id" fact being set
properly
when you''re jleggett and not when you''re root? Any reason why
cntlm has
to connect as your user (or whoever runs puppet in the general sense), 
and not as a dedicated account?

I don''t have a good answer to the template id variable turning numeric 
when facter id is correct, though.

-- 
Mike Renfro  / R&D Engineer, Center for Manufacturing Research,
931 372-3601 / Tennessee Technological University -- renfro@tntech.edu

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Yes, because there is no way in my organization Access Control is
going to allow a machine id out the proxy... Thats setup and tracked
by User id... All sorts of compliance regulations will enforce that
one....



On Jun 11, 11:19 pm, Mike Renfro <ren...@tntech.edu>
wrote:
> Jeff Leggett wrote:
> > I need to be my user when the template is evaluated:
>
> Is there another reason for this beyond the "id" fact being set
properly
> when you''re jleggett and not when you''re root? Any reason
why cntlm has
> to connect as your user (or whoever runs puppet in the general sense),
> and not as a dedicated account?
>
> I don''t have a good answer to the template id variable turning
numeric
> when facter id is correct, though.
>
> --
> Mike Renfro  / R&D Engineer, Center for Manufacturing Research,
> 931 372-3601 / Tennessee Technological University -- ren...@tntech.edu
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On 6/12/2008 9:24 AM, Jeff Leggett wrote:
> Yes, because there is no way in my organization Access Control is 
> going to allow a machine id out the proxy... Thats setup and tracked 
> by User id... All sorts of compliance regulations will enforce that 
> one....
Ok. So do they all proxy out as jleggett (which really doesn''t sound
any
better than proxying through a separate account, but I don''t have to 
deal with lots of compliance regulations)? If so, hard-code the username 
into the template similar to how it appears you''ve hard-coded the
NTLMv2
hash. If they proxy out as different users, then I assume something''s 
missing in the template that provides a varying NTLMv2 hash.

If the stated policy goal is "whoever''s running puppet, put their 
credentials into cntlm.conf", then you''re heading that way. If the
policy is a bit more complicated, like "for this group of servers, proxy 
out as jleggett. For this other group, proxy out as bob", then I''d
wrap
this up in a definition that allows the desired username and hash to be 
passed as parameters to the file entry.

-- 
Mike Renfro  / R&D Engineer, Center for Manufacturing Research,
931 372-3601 / Tennessee Technological University

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

OK my bad (and I really appreciate your answers by the way) I didn''t
explain clearly enough.

I am trying to use puppet to setup and manage what we call our P8
(packaging 2008) developer workstations.    These are RHAS5 based
workstations that are kickstarted, then i want Puppet to pick up the
rest (if possible) of the configuration.  Automatic configuration
modules now work pretty well.  Now I am working on the pieces that
apply to the individual developer that gets this workstation.  In this
case, me - jleggett.  so i want to run this puppet cntlm.pp manifest
and wa-la... my proxy on the box is setup, and authenticating to our
external proxy.  Then all the myriad other tools that need a proxy can
just point to it in their conf files (yum, subversion etc).  This
meets regulatory requirements, and has the added bonus of not having a
single cleartext password on the box.

My plan was to wrap all the individual manifest runs in a shell script
with any other shell commands (like the ''cntlm -H -u blah
blah'' needed
to generate the HASH - assign said HASH to a $FACTER_hash variable,
then call the manifest... similar idea with other tools.  But I run
into the problem of said manifest needing to write to /etc to create
the conf file but have the user variables and facter variables from
the user space.

Make sense?

On Jun 12, 10:43 am, Mike Renfro <ren...@tntech.edu>
wrote:
> On 6/12/2008 9:24 AM, Jeff Leggett wrote:
>
> > Yes, because there is no way in my organization Access Control is
> > going to allow a machine id out the proxy... Thats setup and tracked
> > by User id... All sorts of compliance regulations will enforce that
> > one....
>
> Ok. So do they all proxy out as jleggett (which really doesn''t
sound any
> better than proxying through a separate account, but I don''t have
to
> deal with lots of compliance regulations)? If so, hard-code the username
> into the template similar to how it appears you''ve hard-coded the
NTLMv2
> hash. If they proxy out as different users, then I assume
something''s
> missing in the template that provides a varying NTLMv2 hash.
>
> If the stated policy goal is "whoever''s running puppet, put
their
> credentials into cntlm.conf", then you''re heading that way.
If the
> policy is a bit more complicated, like "for this group of servers,
proxy
> out as jleggett. For this other group, proxy out as bob", then
I''d wrap
> this up in a definition that allows the desired username and hash to be
> passed as parameters to the file entry.
>
> --
> Mike Renfro  / R&D Engineer, Center for Manufacturing Research,
> 931 372-3601 / Tennessee Technological University
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On 6/12/2008 10:09 AM, Jeff Leggett wrote:
> Automatic configuration modules now work pretty well.  Now I am 
> working on the pieces that apply to the individual developer that 
> gets this workstation.  In this case, me - jleggett.  so i want to 
> run this puppet cntlm.pp manifest and wa-la... my proxy on the box is
>  setup, and authenticating to our external proxy.  Then all the 
> myriad other tools that need a proxy can just point to it in their 
> conf files (yum, subversion etc).  This meets regulatory 
> requirements, and has the added bonus of not having a single 
> cleartext password on the box.
Are any regulatory requirements violated if the NTLMv2 hashes already
stored on each workstation are also stored in a common location on the
puppetmaster? Are there any variables other than the developer''s
username and hash that would normally be generated on the client?

If not, would something like the following work with the regular
puppetmasterd/puppetd setup (completely untested, but should be close)?

====
class cntlm {
     package { "cntlm":
     ...
     }
     file { "/etc/cntlm.conf":
         content =>
template("puppet://server/path/to/cntlm.conf.erb"),
         ...
     }
}

node jleggett_managed {
     $developer = ''jleggett''
     $ntlmhash = ''whatever''
     $proxy = ''somehost'' # Could be moved into a higher part
of the
                         # manifest or into the cntlm class, too.
}

node jleggett_node inherits jleggett_managed {
     include cntlm
}

- cntlm.conf.erb -

Username        <%= developer %>
Domain          CORP
PassNTLMv2      <%= ntlmhash %>
Proxy           http://<%= proxy %>:8080
Listen          3128
Auth            NTLMv2

====
Another option would be to modify your kickstart configuration with
information about which developer will own this workstation, drop that
into a FACTER_developer environment variable, and continue with your
running puppet interactively.

-- 
Mike Renfro  / R&D Engineer, Center for Manufacturing Research,
931 372-3601 / Tennessee Technological University

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

That''s a good solution Mike!  I need to think about how I could pre-
generate the hashes though.

On Jun 12, 12:06 pm, Mike Renfro <ren...@tntech.edu>
wrote:
> On 6/12/2008 10:09 AM, Jeff Leggett wrote:
>
> > Automatic configuration modules now work pretty well.  Now I am
> > working on the pieces that apply to the individual developer that
> > gets this workstation.  In this case, me - jleggett.  so i want to
> > run this puppet cntlm.pp manifest and wa-la... my proxy on the box is
> >  setup, and authenticating to our external proxy.  Then all the
> > myriad other tools that need a proxy can just point to it in their
> > conf files (yum, subversion etc).  This meets regulatory
> > requirements, and has the added bonus of not having a single
> > cleartext password on the box.
>
> Are any regulatory requirements violated if the NTLMv2 hashes already
> stored on each workstation are also stored in a common location on the
> puppetmaster? Are there any variables other than the developer''s
> username and hash that would normally be generated on the client?
>
> If not, would something like the following work with the regular
> puppetmasterd/puppetd setup (completely untested, but should be close)?
>
> ====>
> class cntlm {
>      package { "cntlm":
>      ...
>      }
>      file { "/etc/cntlm.conf":
>          content =>
template("puppet://server/path/to/cntlm.conf.erb"),
>          ...
>      }
>
> }
>
> node jleggett_managed {
>      $developer = ''jleggett''
>      $ntlmhash = ''whatever''
>      $proxy = ''somehost'' # Could be moved into a higher
part of the
>                          # manifest or into the cntlm class, too.
>
> }
>
> node jleggett_node inherits jleggett_managed {
>      include cntlm
>
> }
>
> - cntlm.conf.erb -
>
> Username        <%= developer %>
> Domain          CORP
> PassNTLMv2      <%= ntlmhash %>
> Proxy           http://<%= proxy %>:8080
> Listen          3128
> Auth            NTLMv2
>
> ====>
> Another option would be to modify your kickstart configuration with
> information about which developer will own this workstation, drop that
> into a FACTER_developer environment variable, and continue with your
> running puppet interactively.
>
> --
> Mike Renfro  / R&D Engineer, Center for Manufacturing Research,
> 931 372-3601 / Tennessee Technological University
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---