Puppet users - Aug 2007 - Exporting collections/sshkeys

Hullo,

I am attempting to use collections in order to distribute ssh keys 
across (soon) many hosts but I am hitting some trouble (the recipe I am 
using is at the end of this email).  Namely it looks like sshkeys 
resources are not marked as exported in the sqlite db.  I.e. if I do:
sqlite3 clientconfigs.sqlite3 
SQLite version 3.3.5
Enter ".help" for instructions
sqlite> select * from resources where exported = ''t'';
I get nothing.  But if I manually set all sshkey resources as exported 
then suddenly all clients start getting ssh keys from other machines i.e.:
sqlite> update resources SET exported=''t'' where
restype=''sshkey'';

So I am either doing something wrong below or exported resources are not 
tagged as such?  Hints? Bug? Help?

Thanks,

Josko P.

Recipe:

class ssh_rsa_keys {
        # add the key, if we have one
        case $sshrsakey {
                "": { # ignore empty keys
                }
                default: {
                        @@sshkey { "$hostname": type => rsa, key
=>
$sshrsakey }
                        @@sshkey { "$fqdn": type => rsa, key =>
$sshrsakey }
                        @@sshkey { "$ipaddress": type => rsa, key
=>
$sshrsakey }
                }
        }

}

class ssh_keys {
        include ssh_rsa_keys

        # Now collect everyone else''s keys
        Sshkey <<| |>>
        # and my own?
        Sshkey <| |>
}

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 08 August 2007, Josko Plazonic wrote:
> Hullo,
>
> I am attempting to use collections in order to distribute ssh keys
> across (soon) many hosts but I am hitting some trouble (the recipe I am
> using is at the end of this email).  Namely it looks like sshkeys
> resources are not marked as exported in the sqlite db.  I.e. if I do:
> sqlite3 clientconfigs.sqlite3
> SQLite version 3.3.5
> Enter ".help" for instructions
> sqlite> select * from resources where exported = ''t'';
> I get nothing.  But if I manually set all sshkey resources as exported
> then suddenly all clients start getting ssh keys from other machines i.e.:
> sqlite> update resources SET exported=''t'' where
restype=''sshkey'';
>
> So I am either doing something wrong below or exported resources are not
> tagged as such?  Hints? Bug? Help?
>
> Thanks,
>
> Josko P.
>
> Recipe:
>
> class ssh_rsa_keys {
>         # add the key, if we have one
>         case $sshrsakey {
>                 "": { # ignore empty keys
>                 }
>                 default: {
>                         @@sshkey { "$hostname": type => rsa,
key =>
> $sshrsakey }
>                         @@sshkey { "$fqdn": type => rsa, key
=> $sshrsakey
> } @@sshkey { "$ipaddress": type => rsa, key => $sshrsakey }
>                 }
>         }
>
> }
>
> class ssh_keys {
>         include ssh_rsa_keys
>
>         # Now collect everyone else''s keys
>         Sshkey <<| |>>
>         # and my own?
>         Sshkey <| |>
> }
Have you checked whether $sshrsakey really has a content? Also, $sshrsakey is 
not of the correct format for key=>, since it contains the type as well as 
the comment.

You can also try my ssh module from the SVN repository at 
http://club.black.co.at:82/svn/manifests/trunk/modules/ssh/




Regards, David
- -- 
The primary freedom of open source is not the freedom from cost, but the free-
dom to shape software to do what you want. This freedom is /never/ exercised
without cost, but is available /at all/ only by accepting the very different
costs associated with open source, costs not in money, but in time and effort.
- -- http://www.schierer.org/~luke/log/20070710-1129/on-forks-and-forking
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGucX5/Pp1N6Uzh0URAhBlAJ9sK28J9rOQbKMh+ySjWEaUpAVwawCeLGLR
02UUahW3bu71WOjsqdzo22A=vrj0
-----END PGP SIGNATURE-----

David Schmitt wrote:
> Have you checked whether $sshrsakey really has a content? Also, $sshrsakey
is
> not of the correct format for key=>, since it contains the type as well
as
> the comment.
>   
Oh no, that part works - after all if it didn''t I wouldn''t be
getting
ssh keys deposited in the right format in /etc/ssh/ssh_known_hosts after 
I manually tag all sshkeys as exported...  From what I can see they are 
just not being tagged as exported despite me using two @ signs for the 
collection.

Josko P.

On Aug 8, 2007, at 7:45 AM, Josko Plazonic wrote:
>
> class ssh_rsa_keys {
>         # add the key, if we have one
>         case $sshrsakey {
>                 "": { # ignore empty keys
>                 }
>                 default: {
>                         @@sshkey { "$hostname": type => rsa,
key =>
> $sshrsakey }
>                         @@sshkey { "$fqdn": type => rsa, key
=>
> $sshrsakey }
>                         @@sshkey { "$ipaddress": type => rsa,
key =>
> $sshrsakey }
>                 }
>         }
>
> }
Note that this could be one line:

   @@sshkey { $hostname: type => rsa,
	key => $sshrsakey,
	alias => [$fqdn, $ipaddress]
   }
> class ssh_keys {
>         include ssh_rsa_keys
>
>         # Now collect everyone else''s keys
>         Sshkey <<| |>>
>         # and my own?
>         Sshkey <| |>
> }
This second statement isn''t necessary -- the query will pull from the  
local host automatically.

As to your problem, I just attempted to reproduce it and could not.   
You''re sure that you''re using the correct db and everything,
that you
haven''t changed the db adapter or something?

Can anyone else reproduce it?

Here''s the snippet I used:

@@sshkey { $hostname: type => rsa, key => $sshrsakey }

Which I put in test.pp and ran like this:

test.pp --storeconfigs --vardir /tmp/sctest --confdir /tmp/sctest -v

And then tested the contents:

luke@culain(0) $ sqlite3 /tmp/sctest/state/clientconfigs.sqlite3
SQLite version 3.3.8
Enter ".help" for instructions
sqlite> select * from resources where exported = ''t'';
1|culain|sshkey|1|1|t|3|2007-08-08 09:48:24
sqlite>


  --
  A censor is a man who knows more than he thinks you ought to.
          -- Granville Hicks
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com

On Aug 8, 2007, at 8:32 AM, David Schmitt wrote:
> Have you checked whether $sshrsakey really has a content? Also,  
> $sshrsakey is
> not of the correct format for key=>, since it contains the type as  
> well as
> the comment.
That got fixed a good while ago.

  --
  Once...in the wilds of Afghanistan, I lost my corkscrew, and we were
  forced to live on nothing but food and water for days.  -- W. C.  
Fields
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com

Luke Kanies wrote:
> This second statement isn''t necessary -- the query will pull from
the
> local host automatically.
>
> As to your problem, I just attempted to reproduce it and could not.   
> You''re sure that you''re using the correct db and
everything, that you
> haven''t changed the db adapter or something?
>
> Can anyone else reproduce it?
>
> Here''s the snippet I used:
>
> @@sshkey { $hostname: type => rsa, key => $sshrsakey }
>
> Which I put in test.pp and ran like this:
>
> test.pp --storeconfigs --vardir /tmp/sctest --confdir /tmp/sctest -v
>
> And then tested the contents:
>
> luke@culain(0) $ sqlite3 /tmp/sctest/state/clientconfigs.sqlite3
> SQLite version 3.3.8
> Enter ".help" for instructions
> sqlite> select * from resources where exported = ''t'';
> 1|culain|sshkey|1|1|t|3|2007-08-08 09:48:24
> sqlite>
>   
Ok, found my problem - had another, older, class with the same name that 
got used with I included ssh_rsa_key (I was originally hoping to collect 
both rsa and dsa keys but had to give up on that) and that one used one 
@.  So false alarm, sorry about that - doing things too quickly is never 
good...

Though there is one problem - I just switched to mysql backend and with 
that backend
exported = ''t''
test from /usr/lib/ruby/site_ruby/1.8/puppet/parser/collector.rb needs 
to be changed to exported = ''1''. I guess a temporary fix might
be to
test for both 1 and t but there is probably more database independent 
way to test for that.

BTW any reasons not to use mysql instead of sqlite (other than the above 
bug)?

Josko P.

On Aug 8, 2007, at 10:30 AM, Josko Plazonic wrote:
>>
> Ok, found my problem - had another, older, class with the same name  
> that
> got used with I included ssh_rsa_key (I was originally hoping to  
> collect
> both rsa and dsa keys but had to give up on that) and that one used  
> one
> @.  So false alarm, sorry about that - doing things too quickly is  
> never
> good...
*whew*
> Though there is one problem - I just switched to mysql backend and  
> with
> that backend
> exported = ''t''
> test from /usr/lib/ruby/site_ruby/1.8/puppet/parser/collector.rb needs
> to be changed to exported = ''1''. I guess a temporary fix
might be to
> test for both 1 and t but there is probably more database independent
> way to test for that.
I think we''re supposed to actually use ''true'' there
instead of ''t'',
and ActiveRecord should translate it appropriately.
> BTW any reasons not to use mysql instead of sqlite (other than the  
> above
> bug)?
Quite the opposite -- you should use anything except sqlite.

  --
  A great many people think they are thinking when they are merely
  rearranging their prejudices.  -- William James
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com