Puppet users - Mar 2007 - N00B questions: How to dynamically set hostname in a config file . . .

Greetings -

I''ve just started testing Puppet and have a couple of questions:

1. Is there a way to dynamically change a configuraion file that is
sent to nodes?
For example, I want to modify /etc/hosts to have the hostname and ip
address set dynamically - the hosts file shoule look like:

12.34.56.78    node1.example.com

22.35.66.99    server1.example.com


But I don''t want to have a host file for each host. From what I can
glean from the archives, I *think* I can set my hosts file on the
puppet server file repository to look like:

$ipaddress     $hostname

22.35.66.99      $server1.example.com

I''m unable to make that work. What am I doing wrong?


2. How often do the puppet clients "check in" with the puppet server?
Is that time configurable?


3. Does the puppet client initiate connections to the puppet server?
If so, how do people handle puppet clients that are in a DMZ, the
puppet server is in the protected network and  where firewall rules
prohibit clients from initiating connections to the protected net?

Thanks in advance for any help.

Jeff

Jeff Falgout a écrit :
> Greetings -
>
> I''ve just started testing Puppet and have a couple of questions:
>
> 1. Is there a way to dynamically change a configuraion file that is
> sent to nodes?
>   
template just do that :)
http://www.reductivelabs.com/trac/puppet/wiki/PuppetTemplating
> 2. How often do the puppet clients "check in" with the puppet
server?
> Is that time configurable?
>
>
>   
by default it is 30 minutes i guess but you can change this in the 
config file, not sure about this one.
> 3. Does the puppet client initiate connections to the puppet server?
> If so, how do people handle puppet clients that are in a DMZ, the
> puppet server is in the protected network and  where firewall rules
> prohibit clients from initiating connections to the protected net?
>
>   
i think you can use it both way, u run it from cron so this is the 
client that call the server but i am pretty sure that you can use a PUSH 
model.

regards,
Ghislain.


 




_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users

On 3/13/07, Jeff Falgout <jtfalgout@gmail.com>
wrote:
> Greetings -
>
> I''ve just started testing Puppet and have a couple of questions:
>
> 1. Is there a way to dynamically change a configuraion file that is
> sent to nodes?
> For example, I want to modify /etc/hosts to have the hostname and ip
> address set dynamically - the hosts file shoule look like:
>
> 12.34.56.78    node1.example.com
>
> 22.35.66.99    server1.example.com
>
>
> But I don''t want to have a host file for each host. From what I
can
> glean from the archives, I *think* I can set my hosts file on the
> puppet server file repository to look like:
>
> $ipaddress     $hostname
>
> 22.35.66.99      $server1.example.com
> I''m unable to make that work. What am I doing wrong?
You didn''t post your config so it''s hard to guess exactly what
you''ve
done.  It sounds like you are trying to use templating, is that
correct?

http://reductivelabs.com/trac/puppet/wiki/PuppetTemplating

There''s also a host type that might be useful in this case.

http://www.reductivelabs.com/projects/puppet/reference/typedocs.html#host
> 2. How often do the puppet clients "check in" with the puppet
server?
> Is that time configurable?
It''s 30 minutes and can be changed with "runinterval =
seconds" in puppetd.conf

http://reductivelabs.com/projects/puppet/reference/configref.html
> 3. Does the puppet client initiate connections to the puppet server?
> If so, how do people handle puppet clients that are in a DMZ, the
> puppet server is in the protected network and  where firewall rules
> prohibit clients from initiating connections to the protected net?
I''m not an expert on your network but it looks like you have a couple
of choices.  Punch a hole through the firewall or run your Puppet
server in your DMZ.
Kent

Thanks for the pointer! That''s what I want to do

On 3/13/07, ADNET Ghislain <gadnet@aqueos.com>
wrote:
> >
> > 1. Is there a way to dynamically change a configuraion file that is
> > sent to nodes?
> >
>
> template just do that :)
> http://www.reductivelabs.com/trac/puppet/wiki/PuppetTemplating
I''ve got a couple of files that require that the hostname be set
(netbackup''s bp.conf is one) and /etc/hosts is the simplest example I
can come up with.

I''m not quit getting my head wrapped around how to do this.
I''ve
created a file called hosts_template in the template directory which
looks like:

<%= ip %>    <%= name %>

22.35.66.99  server1.example.com


What do I need to put in my site.pp file to assign this template to
the hosts? Is it as simple as :

class hosts_test {
    file { "hosts":
       path => "/tmp/hosts",
       ensure => present,
       mode   => 644,
       owner  => root,
       group  => root,
       content => template("hosts_template")
    }
}


When I run that config I get the error:  Could not retrieve
configuration: Failed to parse template hosts_template: Could not find
value for ''ip'' at /etc/puppet/manifests/site.pp:68

Line 68 is the content line.

Thanks again,

Jeff

On 3/13/07, Kenton Brede <kbrede@gmail.com> wrote>
> > 3. Does the puppet client initiate connections to the puppet server?
> > If so, how do people handle puppet clients that are in a DMZ, the
> > puppet server is in the protected network and  where firewall rules
> > prohibit clients from initiating connections to the protected net?
>
> I''m not an expert on your network but it looks like you have a
couple
> of choices.  Punch a hole through the firewall or run your Puppet
> server in your DMZ.
If I punch a hole in the firewall allowing traffice from the protected
net to DMZ, will the puppet server PUSH the changes to the puppet
client or do the puppet clients need to pull the changes?

Thanks for the help,

Jeff

> When I run that config I get the error:  Could not retrieve
> configuration: Failed to parse template hosts_template: Could not find
> value for ''ip'' at /etc/puppet/manifests/site.pp:68
>   
ip does not exist, try ipaddress  (run facter in the command line to see 
the name of the variables you can use :)

-- 
Cordialement,
Ghislain
 



_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users

On 3/13/07, ADNET Ghislain <gadnet@aqueos.com>
wrote:
>
> > When I run that config I get the error:  Could not retrieve
> > configuration: Failed to parse template hosts_template: Could not find
> > value for ''ip'' at /etc/puppet/manifests/site.pp:68
> >
> ip does not exist, try ipaddress  (run facter in the command line to see
> the name of the variables you can use :)
>
Ahhhhh - ok, now I understand what facter is for! That''s what the
problem was, ipaddress and hostname, not ip and host.

Thanks, It''s working as I expected now!!!

On Mar 13, 2007, at 10:21 AM, Jeff Falgout wrote:
> On 3/13/07, Kenton Brede <kbrede@gmail.com> wrote>
>
>>> 3. Does the puppet client initiate connections to the puppet
server?
>>> If so, how do people handle puppet clients that are in a DMZ, the
>>> puppet server is in the protected network and  where firewall rules
>>> prohibit clients from initiating connections to the protected net?
>>
>> I''m not an expert on your network but it looks like you have a
couple
>> of choices.  Punch a hole through the firewall or run your Puppet
>> server in your DMZ.
>
> If I punch a hole in the firewall allowing traffice from the protected
> net to DMZ, will the puppet server PUSH the changes to the puppet
> client or do the puppet clients need to pull the changes?
The server will never connect to the clients on its own, so the  
clients will still pull.

No one has yet asked for this, so I haven''t taken the time to create  
a good way for the server to initiate all connections to the clients,  
but it should not be that hard to do so.  It should only take a  
couple of hours of coding to make it all work, so if you want the  
server to initiate all connections it''s possible with some coding  
work but does not work today.

  --
  If there is anything the nonconformist hates worse than a conformist,
  it''s another nonconformist who doesn''t conform to the
prevailing
  standard of nonconformity.    --Bill Vaughan
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com

Thanks Luke -

On 3/13/07, Luke Kanies <luke@madstop.com> wrote:
> >
> > If I punch a hole in the firewall allowing traffice from the protected
> > net to DMZ, will the puppet server PUSH the changes to the puppet
> > client or do the puppet clients need to pull the changes?
>
> The server will never connect to the clients on its own, so the
> clients will still pull.
>
> No one has yet asked for this, so I haven''t taken the time to
create
> a good way for the server to initiate all connections to the clients,
> but it should not be that hard to do so.  It should only take a
> couple of hours of coding to make it all work, so if you want the
> server to initiate all connections it''s possible with some coding
> work but does not work today.
>
This feature would be something even the commercial vendors we''ve
looked at (and even some we''ve used) can''t provide. I work for
a .gov
and it''s security above everything else so this would be a HUGE plus.
Keeping a puppet server in the DMZ will probably give our security
guys case of heartburn and client initiated connections are a no-no in
the DMZ. If you do decide to do this, I''d just suggest making this
configurable.

On Mar 13, 2007, at 11:50 AM, Jeff Falgout wrote:
>
> This feature would be something even the commercial vendors we''ve
> looked at (and even some we''ve used) can''t provide. I
work for a .gov
> and it''s security above everything else so this would be a HUGE
plus.
> Keeping a puppet server in the DMZ will probably give our security
> guys case of heartburn and client initiated connections are a no-no in
> the DMZ. If you do decide to do this, I''d just suggest making this
> configurable.
I''ve got too much work lined up, much of it high-priority and  
resulting from clients, to work on this at the moment, but I''m glad  
to help you get it working, and, of course, if you hired me to do the  
work I''d be able to provide some assurance as to timeframe and support.

I''m guessing it would mostly require replacing puppetmasterd with a  
forking server that iterates over each client, connects to the  
client, retrieves its facts, compiles the configuration, and sends  
the compiled configuration back.  All the structure is there, you  
just need the server-side piece that connects to clients.

  --
  Basic research is what I am doing when I don''t know what I am doing.
                    --Wernher von Braun
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com

Luke -

On 3/14/07, Luke Kanies <luke@madstop.com> wrote:
> On Mar 13, 2007, at 11:50 AM, Jeff Falgout wrote:
> >
> > This feature would be something even the commercial vendors
we''ve
> > looked at (and even some we''ve used) can''t provide.
I work for a .gov
> > and it''s security above everything else so this would be a
HUGE plus.
> > Keeping a puppet server in the DMZ will probably give our security
> > guys case of heartburn and client initiated connections are a no-no in
> > the DMZ. If you do decide to do this, I''d just suggest making
this
> > configurable.
>
> I''ve got too much work lined up, much of it high-priority and
> resulting from clients, to work on this at the moment, but I''m
glad
> to help you get it working, and, of course, if you hired me to do the
> work I''d be able to provide some assurance as to timeframe and
support.
I''ve just started exploring Puppet, I don''t anticipate getting
to the
point that this is a requirement soon, but I''ll see what I can do.
Maybe it''s time to learn some ruby.
>
> I''m guessing it would mostly require replacing puppetmasterd with
a
> forking server that iterates over each client, connects to the
> client, retrieves its facts, compiles the configuration, and sends
> the compiled configuration back.  All the structure is there, you
> just need the server-side piece that connects to clients.
>
Replacing the puppetmasterd seems a bit too invasive. Maybe an addon
daemon that is configured to send the compiled configuration to the
clients and the DMZ clients then look locally for the config. Just
throwing some things out.

Thanks,

Jeff

On Mar 14, 2007, at 2:36 PM, Jeff Falgout wrote:
> Luke -
>
> On 3/14/07, Luke Kanies <luke@madstop.com> wrote:
>
>>
>> I''m guessing it would mostly require replacing puppetmasterd
with a
>> forking server that iterates over each client, connects to the
>> client, retrieves its facts, compiles the configuration, and sends
>> the compiled configuration back.  All the structure is there, you
>> just need the server-side piece that connects to clients.
>>
>
> Replacing the puppetmasterd seems a bit too invasive. Maybe an addon
> daemon that is configured to send the compiled configuration to the
> clients and the DMZ clients then look locally for the config. Just
> throwing some things out.
Sorry; I didn''t mean getting rid of puppetmasterd, but rather  
replacing it in your architectural diagram.  You''d need a push server  
instead of a pull server, and you''d run it instead of puppetmasterd.

  --
  I had a linguistics professor who said that it''s man''s
ability to use
  language that makes him the dominant species on the planet.  That may
  be. But I think there''s one other thing that separates us from  
animals.
  We aren''t afraid of vacuum cleaners.      --Jeff Stilson
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com