Justin wrote:> Trying to think ahead... > > If I set up users'' ssh keys in a central repository, named, for > example: > authorized_keys.john > authorized_keys.joe > authorized_keys.jane > > and then include in my manifest: > file { "/home/$owner/.ssh/authorized_keys": > owner => john > group => john > mode => 0400 > source => [ > "puppet://var/lib/puppet/keys/authorized_keys.$owner", > "puppet://var/lib/puppet/keys/authorized_keys" > ] > } > > Is puppet going to figure out that I am talking about making sure / > home/john/.ssh/authorized_keys should be replaced by the repository''s > authorized_keys.john? > > Is there some better way to do this, such that each user for whom I > have a key, has their key readily pushed out to various servers? >I think you''re gonna need to define a custom resource similar to: define authorized_key_file( $user = false, $group = false, $ensure = present) { file { "/home/$name/.ssh/authorized_keys": owner => $user ? { false => $name, default => $user }, group => $group ? { false => $name, default => $group }, mode => 0400, ensure => $ensure, source => [ "puppet://somewhere/authorized_keys.$owner", "puppet://somewhere/authorized_keys" ] } and then use: authorized_key_file { [ "john", "joe", "jane" ]: group => "they-re-all-mine-anyways" } authorized_key_file { [ "boss", "colleague" ]: ensure => absent } Hope this example makes sense ;-) -Jeroen --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Sure does; thanks! Other user-specific files can most likely also be copied in the same manner. Thanks a lot; I appreciate the help! On Jul 29, 2:23 pm, Jeroen van Meeuwen <kana...@kanarip.com> wrote:> Justin wrote: > > Trying to think ahead... > > > If I set up users'' ssh keys in a central repository, named, for > > example: > > authorized_keys.john > > authorized_keys.joe > > authorized_keys.jane > > > and then include in my manifest: > > file { "/home/$owner/.ssh/authorized_keys": > > owner => john > > group => john > > mode => 0400 > > source => [ > > "puppet://var/lib/puppet/keys/authorized_keys.$owner", > > "puppet://var/lib/puppet/keys/authorized_keys" > > ] > > } > > > Is puppet going to figure out that I am talking about making sure / > > home/john/.ssh/authorized_keys should be replaced by the repository''s > > authorized_keys.john? > > > Is there some better way to do this, such that each user for whom I > > have a key, has their key readily pushed out to various servers? > > I think you''re gonna need to define a custom resource similar to: > > define authorized_key_file( $user = false, > $group = false, > $ensure = present) { > file { "/home/$name/.ssh/authorized_keys": > owner => $user ? { > false => $name, > default => $user > }, > group => $group ? { > false => $name, > default => $group > }, > mode => 0400, > ensure => $ensure, > source => [ > "puppet://somewhere/authorized_keys.$owner", > "puppet://somewhere/authorized_keys" > ] > > } > > and then use: > > authorized_key_file { [ > "john", > "joe", > "jane" > ]: > group => "they-re-all-mine-anyways" > > } > > authorized_key_file { [ > "boss", > "colleague" > ]: > ensure => absent > > } > > Hope this example makes sense ;-) > > -Jeroen--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Moved along from there nicely. Down to one more stumbling block I''ve added to /etc/puppet/fileserver.conf: [auth_keys] path /var/lib/puppet/files/auth_keys (and I have confirmed that this path leads right to the stored auth keys) allow 192.168.1.0/24 and set up the host.pp file similar to above (added in back-tracking to make sure the home dir exists, the .ssh dir exists, with suitable permissions and ownership): source => [ "puppet://localhost/auth_keys/authorized_keys. $name","puppet://localhost/auth_keys/authorized_keys" ] (I''ve also tried source => [ "puppet:///localhost/auth_keys/ authorized_keys.$name","puppet:///localhost/auth_keys/ authorized_keys" ] Everything works properly, until puppet tries to talk to itself (remember, same system is both master and puppet), and returns: localhost puppet # puppetd --test --noop notice: Ignoring cache info: Caching catalog at /var/lib/puppet/localconfig.yaml notice: Starting catalog run err: //Authorized_key_file[doofus]/File[/home/doofus/.ssh/ authorized_keys]/source: Could not describe /localhost/auth_keys/ authorized_keys.doofus: Cannot access mount[auth_keys] err: //Authorized_key_file[doofus]/File[/home/doofus/.ssh/ authorized_keys]/source: Could not describe /localhost/auth_keys/ authorized_keys: Cannot access mount[auth_keys] Still stumped, and evidently missing another something... Once I get this thing squared away, I will gladly contribute this whole experience on setting up and getting basic bits and pieces together working! On Jul 29, 2:40 pm, zoniguana <rjustinwilli...@gmail.com> wrote:> Sure does; thanks! > > Other user-specific files can most likely also be copied in the same > manner. > > Thanks a lot; I appreciate the help! > > On Jul 29, 2:23 pm, Jeroen van Meeuwen <kana...@kanarip.com> wrote: > > > Justin wrote: > > > Trying to think ahead... > > > > If I set up users'' ssh keys in a central repository, named, for > > > example: > > > authorized_keys.john > > > authorized_keys.joe > > > authorized_keys.jane > > > > and then include in my manifest: > > > file { "/home/$owner/.ssh/authorized_keys": > > > owner => john > > > group => john > > > mode => 0400 > > > source => [ > > > "puppet://var/lib/puppet/keys/authorized_keys.$owner", > > > "puppet://var/lib/puppet/keys/authorized_keys" > > > ] > > > } > > > > Is puppet going to figure out that I am talking about making sure / > > > home/john/.ssh/authorized_keys should be replaced by the repository''s > > > authorized_keys.john? > > > > Is there some better way to do this, such that each user for whom I > > > have a key, has their key readily pushed out to various servers? > > > I think you''re gonna need to define a custom resource similar to: > > > define authorized_key_file( $user = false, > > $group = false, > > $ensure = present) { > > file { "/home/$name/.ssh/authorized_keys": > > owner => $user ? { > > false => $name, > > default => $user > > }, > > group => $group ? { > > false => $name, > > default => $group > > }, > > mode => 0400, > > ensure => $ensure, > > source => [ > > "puppet://somewhere/authorized_keys.$owner", > > "puppet://somewhere/authorized_keys" > > ] > > > } > > > and then use: > > > authorized_key_file { [ > > "john", > > "joe", > > "jane" > > ]: > > group => "they-re-all-mine-anyways" > > > } > > > authorized_key_file { [ > > "boss", > > "colleague" > > ]: > > ensure => absent > > > } > > > Hope this example makes sense ;-) > > > -Jeroen--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Some more info When I change the manifest to use an IP, instead of the hostname, I get a different error. With the IP address, puppet complains that the keys don''t match. With the hostname, puppet complains that the hostname is invalid (or that it cannot resolve). So, evidently, there is a separate config to teach puppetd what fileservers it should be trying to talk to; does this make sense? On Jul 30, 8:48 am, zoniguana <rjustinwilli...@gmail.com> wrote:> Howdy again > > I now have a second machine talking to test_box successfully, for the > most part. > I''m running into a significant roadblock, though. > When freya tries to talk to test_box, it authenticates fine and starts > to put together the configuration, until it gets to my source line; > then it pukes with the error: > Parameter source failed: Could not understand source > puppet://test_box.valhalla/auth_keys/authorized_keys: the scheme > puppet does not accept registry part: test_box.valhalla (or bad > hostname?) at /etc/puppet/manifests/classes/homes.pp > > That in turn results in "The configuration could not be instantiated" > warning. > > on freya, puppet.conf has server listed as test_box.valhalla > on test_box, fileserver.conf has auth_keys defined, with access > allowed for 192.168.1.0/24 and *.valhalla, with the path defined as / > var/lib/puppet/files/auth_keys. The keys that are to be copied over > are in that path. > > I also tried pulling test_box.valhalla out of the source path in the > manifest, under the notion that the puppet scheme would, by default, > try to look at the previously defined server, and interpret the first > part after puppet:// as path, rather than server name, but, no change. > > I see, when I start puppetmaster up in no-daemon/debug mode: > "debug: No modules mount given; autocreating with default permissions > debug: No plugins mount given; autocreating with default permissions" > > Does this impact the ability to serve files? Is there something other > than the above that I need to define to get things working? > > On Jul 29, 2:23 pm, Jeroen van Meeuwen <kana...@kanarip.com> wrote: > > > Justin wrote: > > > Trying to think ahead... > > > > If I set up users'' ssh keys in a central repository, named, for > > > example: > > > authorized_keys.john > > > authorized_keys.joe > > > authorized_keys.jane > > > > and then include in my manifest: > > > file { "/home/$owner/.ssh/authorized_keys": > > > owner => john > > > group => john > > > mode => 0400 > > > source => [ > > > "puppet://var/lib/puppet/keys/authorized_keys.$owner", > > > "puppet://var/lib/puppet/keys/authorized_keys" > > > ] > > > } > > > > Is puppet going to figure out that I am talking about making sure / > > > home/john/.ssh/authorized_keys should be replaced by the repository''s > > > authorized_keys.john? > > > > Is there some better way to do this, such that each user for whom I > > > have a key, has their key readily pushed out to various servers? > > > I think you''re gonna need to define a custom resource similar to: > > > define authorized_key_file( $user = false, > > $group = false, > > $ensure = present) { > > file { "/home/$name/.ssh/authorized_keys": > > owner => $user ? { > > false => $name, > > default => $user > > }, > > group => $group ? { > > false => $name, > > default => $group > > }, > > mode => 0400, > > ensure => $ensure, > > source => [ > > "puppet://somewhere/authorized_keys.$owner", > > "puppet://somewhere/authorized_keys" > > ] > > > } > > > and then use: > > > authorized_key_file { [ > > "john", > > "joe", > > "jane" > > ]: > > group => "they-re-all-mine-anyways" > > > } > > > authorized_key_file { [ > > "boss", > > "colleague" > > ]: > > ensure => absent > > > } > > > Hope this example makes sense ;-) > > > -Jeroen--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Another interesting bit of info: test_box classes # puppetmasterd --no-daemon --debug info: Starting server for Puppet version 0.24.4 info: mount[auth_keys]: allowing 192.168.1.0/24 access info: mount[auth_keys]: allowing *.valhalla access info: mount[files]: allowing 192.168.1.0/24 access info: mount[files]: allowing *.valhalla access debug: No modules mount given; autocreating with default permissions debug: No plugins mount given; autocreating with default permissions Do the last two lines mean that the mounts were actually *not* enabled as the prior 4 lines would indicate? On Jul 30, 10:01 am, zoniguana <rjustinwilli...@gmail.com> wrote:> Some more info > When I change the manifest to use an IP, instead of the hostname, I > get a different error. > With the IP address, puppet complains that the keys don''t match. > With the hostname, puppet complains that the hostname is invalid (or > that it cannot resolve). > > So, evidently, there is a separate config to teach puppetd what > fileservers it should be trying to talk to; does this make sense? > > On Jul 30, 8:48 am, zoniguana <rjustinwilli...@gmail.com> wrote: > > > Howdy again > > > I now have a second machine talking to test_box successfully, for the > > most part. > > I''m running into a significant roadblock, though. > > When freya tries to talk to test_box, it authenticates fine and starts > > to put together the configuration, until it gets to my source line; > > then it pukes with the error: > > Parameter source failed: Could not understand source > > puppet://test_box.valhalla/auth_keys/authorized_keys: the scheme > > puppet does not accept registry part: test_box.valhalla (or bad > > hostname?) at /etc/puppet/manifests/classes/homes.pp > > > That in turn results in "The configuration could not be instantiated" > > warning. > > > on freya, puppet.conf has server listed as test_box.valhalla > > on test_box, fileserver.conf has auth_keys defined, with access > > allowed for 192.168.1.0/24 and *.valhalla, with the path defined as / > > var/lib/puppet/files/auth_keys. The keys that are to be copied over > > are in that path. > > > I also tried pulling test_box.valhalla out of the source path in the > > manifest, under the notion that the puppet scheme would, by default, > > try to look at the previously defined server, and interpret the first > > part after puppet:// as path, rather than server name, but, no change. > > > I see, when I start puppetmaster up in no-daemon/debug mode: > > "debug: No modules mount given; autocreating with default permissions > > debug: No plugins mount given; autocreating with default permissions" > > > Does this impact the ability to serve files? Is there something other > > than the above that I need to define to get things working? > > > On Jul 29, 2:23 pm, Jeroen van Meeuwen <kana...@kanarip.com> wrote: > > > > Justin wrote: > > > > Trying to think ahead... > > > > > If I set up users'' ssh keys in a central repository, named, for > > > > example: > > > > authorized_keys.john > > > > authorized_keys.joe > > > > authorized_keys.jane > > > > > and then include in my manifest: > > > > file { "/home/$owner/.ssh/authorized_keys": > > > > owner => john > > > > group => john > > > > mode => 0400 > > > > source => [ > > > > "puppet://var/lib/puppet/keys/authorized_keys.$owner", > > > > "puppet://var/lib/puppet/keys/authorized_keys" > > > > ] > > > > } > > > > > Is puppet going to figure out that I am talking about making sure / > > > > home/john/.ssh/authorized_keys should be replaced by the repository''s > > > > authorized_keys.john? > > > > > Is there some better way to do this, such that each user for whom I > > > > have a key, has their key readily pushed out to various servers? > > > > I think you''re gonna need to define a custom resource similar to: > > > > define authorized_key_file( $user = false, > > > $group = false, > > > $ensure = present) { > > > file { "/home/$name/.ssh/authorized_keys": > > > owner => $user ? { > > > false => $name, > > > default => $user > > > }, > > > group => $group ? { > > > false => $name, > > > default => $group > > > }, > > > mode => 0400, > > > ensure => $ensure, > > > source => [ > > > "puppet://somewhere/authorized_keys.$owner", > > > "puppet://somewhere/authorized_keys" > > > ] > > > > } > > > > and then use: > > > > authorized_key_file { [ > > > "john", > > > "joe", > > > "jane" > > > ]: > > > group => "they-re-all-mine-anyways" > > > > } > > > > authorized_key_file { [ > > > "boss", > > > "colleague" > > > ]: > > > ensure => absent > > > > } > > > > Hope this example makes sense ;-) > > > > -Jeroen--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Hi> test_box classes # puppetmasterd --no-daemon --debug > info: Starting server for Puppet version 0.24.4 > info: mount[auth_keys]: allowing 192.168.1.0/24 access > info: mount[auth_keys]: allowing *.valhalla access > info: mount[files]: allowing 192.168.1.0/24 access > info: mount[files]: allowing *.valhalla access > debug: No modules mount given; autocreating with default permissions > debug: No plugins mount given; autocreating with default permissions > > Do the last two lines mean that the mounts were actually *not* enabled > as the prior 4 lines would indicate?no modules and plugins mounts are used to distribute modules and custom types. you don''t need them if you don''t use them. greets pete. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---