Puppet users - Jun 2007 - Newbie questions...

I''ve spent the last week or two poring over the documentation and  
setting up my first puppet environment, and while I''ve figured out  
how to do most of what I want to do with it, I have some questions  
that I haven''t been able to find answers for...


* Can I match parts of a facter fact?  In particular I have hostnames  
that include the environment as part of the name (dev-app-01, test- 
app-01, stage-app-01, prod-app-01, etc), and there are some settings  
where I''d like to be able to do something like this:

	case $hostname {
		"dev-*": { $gateway = ''192.168.1.1'' }
		"test-*": { $gateway = ''192.168.2.1'' }
		"stage-*": { $gateway = ''192.168.3.1'' }
	}

I''ll probably end up writing a facter module to create facts out of  
this information, but for now I''ve kind of kludged it by adding this  
to /etc/profile.d/puppet.sh (I''m running Fedora) so it ends up in the  
environment where facter can see it:

TMP=`hostname -s`
export FACTER_NETLOC=${TMP/-*}
TMP=${TMP/$FACTER_NETLOC-}
export FACTER_SERVTYPE=${TMP/-*}
TMP=${TMP/$FACTER_SERVTYPE-}
export FACTER_SERVID=$TMP

Ultimately though, I feel like it would be easier if it was possible  
to use wildcard matches for the case statement, then I could also do  
things like "dev-build-*" when I need to...


* Is it possible to extend built-in types?  I''d like to add ssh keys  
to the user type, and have them added to the users .ssh/authorized  
keys file on the hosts where that user has access.


* Is there any way to remove or report any entries that are not part  
of the puppet manifest?  Specifically I''d like the manifest to  
specify all the users that should be in the password file and all the  
RPMs that should be installed, and have puppet remove (or at least  
report) any users or RPMs on the system that shouldn''t be there.  Or  
at least is there a way to get a list of what users/rpms the manifest  
is managing so that I can whip together a little script to check for  
the extras?


-- 
Jason Kohles
email@jasonkohles.com
http://www.jasonkohles.com/
"A witty saying proves nothing."  -- Voltaire

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 27 June 2007, Jason Kohles wrote:
> I''ve spent the last week or two poring over the documentation and
> setting up my first puppet environment, and while I''ve figured out
> how to do most of what I want to do with it, I have some questions
> that I haven''t been able to find answers for...
>
>
> * Can I match parts of a facter fact?  In particular I have hostnames
> that include the environment as part of the name (dev-app-01, test-
> app-01, stage-app-01, prod-app-01, etc), and there are some settings
> where I''d like to be able to do something like this:
>
> 	case $hostname {
> 		"dev-*": { $gateway = ''192.168.1.1'' }
> 		"test-*": { $gateway = ''192.168.2.1'' }
> 		"stage-*": { $gateway = ''192.168.3.1'' }
> 	}
>
> I''ll probably end up writing a facter module to create facts out
of
> this information, but for now I''ve kind of kludged it by adding
this
> to /etc/profile.d/puppet.sh (I''m running Fedora) so it ends up in
the
> environment where facter can see it:
>
> TMP=`hostname -s`
> export FACTER_NETLOC=${TMP/-*}
> TMP=${TMP/$FACTER_NETLOC-}
> export FACTER_SERVTYPE=${TMP/-*}
> TMP=${TMP/$FACTER_SERVTYPE-}
> export FACTER_SERVID=$TMP
>
> Ultimately though, I feel like it would be easier if it was possible
> to use wildcard matches for the case statement, then I could also do
> things like "dev-build-*" when I need to...
Usually this is solved the other way round:

node dev {
 $gateway = "....1"
 include dev_classes
}

node dev-app-01, dev-app-02, ... inherits dev { }
> * Is it possible to extend built-in types?  I''d like to add ssh
keys
> to the user type, and have them added to the users .ssh/authorized
> keys file on the hosts where that user has access.
There is a recipe on the wiki for that:

https://reductivelabs.com/trac/puppet/wiki/Authorized_keysRecipe
> * Is there any way to remove or report any entries that are not part
> of the puppet manifest?  Specifically I''d like the manifest to
> specify all the users that should be in the password file and all the
> RPMs that should be installed, and have puppet remove (or at least
> report) any users or RPMs on the system that shouldn''t be there. 
Or
> at least is there a way to get a list of what users/rpms the manifest
> is managing so that I can whip together a little script to check for
> the extras?
Look for the purge parameter in the type reference:

https://reductivelabs.com/trac/puppet/wiki/TypeReference

Regards, David


- -- 
- - hallo... wie gehts heute?
- - *hust* gut *rotz* *keuch*
- - gott sei dank kommunizieren wir über ein septisches medium ;)
 -- Matthias Leeb, Uni f. angewandte Kunst, 2005-02-15
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGgqbJ/Pp1N6Uzh0URAhykAJwJi9tcFW4WHdwJM86snan4agr6+gCgjNxs
swvp5vxfnCR0enaG5+6x9WA=QOPY
-----END PGP SIGNATURE-----

On Jun 27, 2007, at 2:04 PM, David Schmitt wrote:
>> * Can I match parts of a facter fact?  In particular I have hostnames
>> that include the environment as part of the name (dev-app-01, test-
>> app-01, stage-app-01, prod-app-01, etc), and there are some settings
>> where I''d like to be able to do something like this:
>>
>> 	case $hostname {
>> 		"dev-*": { $gateway = ''192.168.1.1'' }
>> 		"test-*": { $gateway = ''192.168.2.1'' }
>> 		"stage-*": { $gateway = ''192.168.3.1'' }
>> 	}
>>
>
> Usually this is solved the other way round:
>
> node dev {
>  $gateway = "....1"
>  include dev_classes
> }
>
> node dev-app-01, dev-app-02, ... inherits dev { }
>
This would work if I could do multiple inheritance, but puppet  
doesn''t seem to like multiple inheritance.  The big problem I have is  
that I have a lot of settings that are based on the environment  
(primarily because in addition to the test/staging/production  
environments, I have multiple dev environments, which are  
differentiated because of the network they are located on, so dev1-*  
are all in one location, and dev2-* are all in another location.  On  
top of that, I have a lot of settings that differ based on the server  
type, so to use inheritance, I''d need something more like:

node dev1-app-01 inherits dev1_network,app_server {}

What I''ll probably end up doing is writing a script to generate my  
node definitions, so I can just include the settings/classes I need  
in the node...
>> * Is it possible to extend built-in types?  I''d like to add
ssh keys
>> to the user type, and have them added to the users .ssh/authorized
>> keys file on the hosts where that user has access.
>
> There is a recipe on the wiki for that:
>
> https://reductivelabs.com/trac/puppet/wiki/Authorized_keysRecipe
>
I''ve looked at that, but it''s way more complex than I need, as
I
really don''t want to be generating keys for users.  What I really  
wanted was just the ability to do:

user {
	"jason":
		uid	=> 500,
		gid	=> 500,
		sshkey => "ssh-dss AAAA.........== jason@localhost''
}

After digging through it, I''ve found a way to accomplish my goal,  
rather than trying to extend ''user'', I''m adapting the
''define
account'' that is found in there.

>> * Is there any way to remove or report any entries that are not part
>> of the puppet manifest?  Specifically I''d like the manifest to
>> specify all the users that should be in the password file and all the
>> RPMs that should be installed, and have puppet remove (or at least
>> report) any users or RPMs on the system that shouldn''t be
there.  Or
>> at least is there a way to get a list of what users/rpms the manifest
>> is managing so that I can whip together a little script to check for
>> the extras?
>
> Look for the purge parameter in the type reference:
>
> https://reductivelabs.com/trac/puppet/wiki/TypeReference
>
Hmm, somehow I managed to miss that, several times it seems, while  
reading that page...

-- 
Jason Kohles
email@jasonkohles.com
http://www.jasonkohles.com/
"A witty saying proves nothing."  -- Voltaire

On Jun 27, 2007, at 1:04 PM, David Schmitt wrote:
>> * Is there any way to remove or report any entries that are not part
>> of the puppet manifest?  Specifically I''d like the manifest to
>> specify all the users that should be in the password file and all the
>> RPMs that should be installed, and have puppet remove (or at least
>> report) any users or RPMs on the system that shouldn''t be
there.  Or
>> at least is there a way to get a list of what users/rpms the manifest
>> is managing so that I can whip together a little script to check for
>> the extras?
>
> Look for the purge parameter in the type reference:
>
> https://reductivelabs.com/trac/puppet/wiki/TypeReference
And especially look at the ''resources'' type, which can be used
to
remove unmanaged resources.  Set noop => true to just log what would  
be removed.

  --
  Should I say "I believe in physics", or "I know that physics is
true"?
                  -- Ludwig Wittgenstein, On Certainty, 602.
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com

On Jun 27, 2007, at 2:51 PM, Jason Kohles wrote:
> What I''ll probably end up doing is writing a script to generate my
> node definitions, so I can just include the settings/classes I need
> in the node...
You should look at the external node support:

http://reductivelabs.com/trac/puppet/wiki/ 
ConfigurationReference#external-nodes

That''s a *much* better solution than generating your node  
definitions, and is a good stop-gap until we solve this problem  
permanently.
> After digging through it, I''ve found a way to accomplish my goal,
> rather than trying to extend ''user'', I''m
adapting the ''define
> account'' that is found in there.
That''s the approach I would recommend.

  --
  Those who speak most of progress measure it by quantity and not
  by quality.     --George Santayana
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com

On Jun 27, 2007, at 5:09 PM, Luke Kanies wrote:
> On Jun 27, 2007, at 2:51 PM, Jason Kohles wrote:
>> What I''ll probably end up doing is writing a script to
generate my
>> node definitions, so I can just include the settings/classes I need
>> in the node...
>
> You should look at the external node support:
>
> http://reductivelabs.com/trac/puppet/wiki/
> ConfigurationReference#external-nodes
>
> That''s a *much* better solution than generating your node
> definitions, and is a good stop-gap until we solve this problem
> permanently.
>
This is definitely a much better approach, although I''m having a bit  
of trouble with it (maybe after struggling with this for a while I''ll  
finally learn enough Ruby to figure it out from the code...)

I started out confused because I was running 0.22.4, and the URL has  
documenation for 0.23, which has a very different format.  So I  
looked through the code and came up with this very simple test script  
for the external_nodes setting:

#!/bin/sh

echo ""
echo "common puppet dns"

This seemed to work great until I tried to add network_dev classes  
that set variables that needed to be used elsewhere, and the scoping  
rules got me.  Since the 0.23 version seemed to have already dealt  
with that, I built RPMs for 0.23 and upgraded my test machines, then  
I converted the simple test script to produce YAML.  It seems to  
work, but I can''t figure out what format the
''parameters'' section is
supposed to have...

If I run the script from the command line, I get this output:

[root@dev1-mgmt-01 puppet]# ./node_classifier dev1-mgmt-01
---
parameters:
   puppet_server: dev1-puppet
   file_server: puppet://dev1-puppet/files
classes:
   - mgmt_server
   - cron
   - dns
   - puppet
   - ssh
   - admin_users
   - user_root
   - virt_all_users

 From looking at the code, I thought this was going to get turned  
into the equivalent of:

node dev1-mgmt-01 {
	$puppet_server = ''dev1-puppet''
	$file_server = ''puppet://dev1-puppet/files''
	include mgmt_server
	include cron
	include dns
	include puppet
	include ssh
	include admin_users
	include user_root
	include virt_all_users
}

But that doesn''t seem to be the case, when it gets parsed I end up  
with this error:

[root@dev1-mgmt-01 puppet]# puppetd --test --server dev1-puppet
notice: Ignoring cache
err: Could not retrieve configuration: Could not evaluate classes for  
dev1-mgmt-01: Could not find class puppet_server in namespaces  
mgmt_server at /etc/puppet/manifests/site.pp:14
warning: Not using cache on failed configuration


So it seems like I got the ''classes'' part right, but can
someone tell
me what I''m doing wrong with the ''parameters'' part?

-- 
Jason Kohles
email@jasonkohles.com
http://www.jasonkohles.com/
"A witty saying proves nothing."  -- Voltaire

On Jun 28, 2007, at 9:32 AM, Jason Kohles wrote:
> This is definitely a much better approach, although I''m having a
bit
> of trouble with it (maybe after struggling with this for a while
I''ll
> finally learn enough Ruby to figure it out from the code...)
One hopes that wouldn''t be necessary...
> [...]
> If I run the script from the command line, I get this output:
>
> [root@dev1-mgmt-01 puppet]# ./node_classifier dev1-mgmt-01
> ---
> parameters:
>    puppet_server: dev1-puppet
>    file_server: puppet://dev1-puppet/files
> classes:
>    - mgmt_server
>    - cron
>    - dns
>    - puppet
>    - ssh
>    - admin_users
>    - user_root
>    - virt_all_users
Looks good.
>  From looking at the code, I thought this was going to get turned
> into the equivalent of:
>
> node dev1-mgmt-01 {
> 	$puppet_server = ''dev1-puppet''
> 	$file_server = ''puppet://dev1-puppet/files''
> 	include mgmt_server
> 	include cron
> 	include dns
> 	include puppet
> 	include ssh
> 	include admin_users
> 	include user_root
> 	include virt_all_users
> }
>
> But that doesn''t seem to be the case, when it gets parsed I end up
> with this error:
>
> [root@dev1-mgmt-01 puppet]# puppetd --test --server dev1-puppet
> notice: Ignoring cache
> err: Could not retrieve configuration: Could not evaluate classes for
> dev1-mgmt-01: Could not find class puppet_server in namespaces
> mgmt_server at /etc/puppet/manifests/site.pp:14
> warning: Not using cache on failed configuration
>
>
> So it seems like I got the ''classes'' part right, but can
someone tell
> me what I''m doing wrong with the ''parameters''
part?
You''re sure your server is running the new code?

I just tested it with this Ruby script to generate the yaml:

host = ARGV.shift.sub(/\..+$/,'''')

hash = {
     "classes" => %w{one}.collect { |name| name + host },
     "parameters" => {"a" => host, "c" =>
host}
}

require ''yaml''

puts YAML.dump(hash)

And this Puppet script to use it:

class onephage {
     notify { "got one: $a $c": }
}

On my host (named phage), I get this result:

notice: got one: phage phage

  --
  What is the sound of Perl?  Is it not the sound of a wall that
  people have stopped banging their heads against?
          --Larry Wall in <1992Aug26.184221.29627@netlabs.com>
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com

On Jun 28, 2007, at 11:51 AM, Luke Kanies wrote:
> On Jun 28, 2007, at 9:32 AM, Jason Kohles wrote:
>> This is definitely a much better approach, although I''m having
a bit
>> of trouble with it (maybe after struggling with this for a while
I''ll
>> finally learn enough Ruby to figure it out from the code...)
>
> One hopes that wouldn''t be necessary...
Well, the documentation for this particular feature is, to put it  
nicely, terse.  :)  I added a page to the wiki (ExternalNodes) that  
explains what I''ve found out about the feature so far, although mt  
implementation isn''t actually working yet, so it may need correction...
>> [...]
>> If I run the script from the command line, I get this output:
>>
>> [root@dev1-mgmt-01 puppet]# ./node_classifier dev1-mgmt-01
>> ---
>> parameters:
>>    puppet_server: dev1-puppet
>>    file_server: puppet://dev1-puppet/files
>> classes:
>>    - mgmt_server
>>    - cron
>>    - dns
>>    - puppet
>>    - ssh
>>    - admin_users
>>    - user_root
>>    - virt_all_users
>
> Looks good.
>
>>  From looking at the code, I thought this was going to get turned
>> into the equivalent of:
>>
>> node dev1-mgmt-01 {
>> 	$puppet_server = ''dev1-puppet''
>> 	$file_server = ''puppet://dev1-puppet/files''
>> 	include mgmt_server
>> 	include cron
>> 	include dns
>> 	include puppet
>> 	include ssh
>> 	include admin_users
>> 	include user_root
>> 	include virt_all_users
>> }
>>
>> But that doesn''t seem to be the case, when it gets parsed I
end up
>> with this error:
>>
>> [root@dev1-mgmt-01 puppet]# puppetd --test --server dev1-puppet
>> notice: Ignoring cache
>> err: Could not retrieve configuration: Could not evaluate classes for
>> dev1-mgmt-01: Could not find class puppet_server in namespaces
>> mgmt_server at /etc/puppet/manifests/site.pp:14
>> warning: Not using cache on failed configuration
>>
>>
>> So it seems like I got the ''classes'' part right, but
can someone tell
>> me what I''m doing wrong with the
''parameters'' part?
>
> You''re sure your server is running the new code?
>
I''m certain, I''ve been restarting puppetmaster every time I
make
changes, and I even rewrote the script in perl instead of bash  
planning to have it get information from an existing database, and I  
still get the same error...

line 14 of my site.pp is ''import "definitions/*"'',
and none of the
files in definitions refers to $puppet_server.

however, I did find some more information about what is going on, if  
the script produces this:

---
classes:
   - common
   - mgmt_server
parameters:
   puppet_server: dev1-puppet

then I get that error, which mentions mgmt_server, if I remove  
mgmt_server from the classes list, then I don''t get that error and  
everything else seems to work fine.  The mgmt_server class looks like  
this:

class mgmt_server {
	include puppet_server
}

Could I be having a conflict caused by having a class and a variable  
with the same name?  I hadn''t realized until I started digging into  
it that I had done that, is it something I should avoid, or is the  
language supposed to be able to handle it?

-- 
Jason Kohles
email@jasonkohles.com
http://www.jasonkohles.com/
"A witty saying proves nothing."  -- Voltaire

On Jun 28, 2007, at 2:29 PM, Jason Kohles wrote:
>
> however, I did find some more information about what is going on, if
> the script produces this:
>
> ---
> classes:
>    - common
>    - mgmt_server
> parameters:
>    puppet_server: dev1-puppet
>
> then I get that error, which mentions mgmt_server, if I remove
> mgmt_server from the classes list, then I don''t get that error and
> everything else seems to work fine.  The mgmt_server class looks like
> this:
>
> class mgmt_server {
> 	include puppet_server
> }
>
> Could I be having a conflict caused by having a class and a variable
> with the same name?  I hadn''t realized until I started digging
into
> it that I had done that, is it something I should avoid, or is the
> language supposed to be able to handle it?
>
So it turns out my problem was even stupider than that, I didn''t have  
a variable and a class with the same name, I only had a variable with  
that name, and ''include puppet_server'' should have been
''include
puppetmaster'', once I fixed it to refer to the class that actually  
exists then it worked fine...

-- 
Jason Kohles
email@jasonkohles.com
http://www.jasonkohles.com/
"A witty saying proves nothing."  -- Voltaire

On Jun 28, 2007, at 1:38 PM, Jason Kohles wrote:
> So it turns out my problem was even stupider than that, I didn''t
have
> a variable and a class with the same name, I only had a variable with
> that name, and ''include puppet_server'' should have been
''include
> puppetmaster'', once I fixed it to refer to the class that actually
> exists then it worked fine...
Yeah, once I saw that class of yours, I figured that was the problem.

Glad to hear you got it all working, and thanks for making that page.

  --
  I used to get high on life but lately I''ve built up a resistance.
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com