Puppet users - Sep 2009 - copying file from multiple sources

I am looking at migrating a set of servers from cfengine management to
puppet management.  For the most part, the move has been relatively straight
forward, and I am pleased with the way that puppet''s modules have made
some
of the things I did in cfengine2 much cleaner.  There is one thing though
that was relatively easy in cfengine that I am not seeing a good way to
achieve with puppet.

In cfengine I defined a variable serverlist that was essentially an array of
hostnames. I then had the following copy block

copy:
 somehost::
   /path/to/file/that/updates/nightly
     server=${serverlist}
     dest=/var/www/repository/${this}
     mode=644 owner=apache group=wheel

which caused the one host in the class somehost to copy the file from each
server in the array serverlist to the repository.
**
The closest I see in puppet would be to list each server source as a
different file entry in a class.

Something like (psuedo code)

class pullfile {
  File { ensure => file, owner => apache, group => wheel, mode =>
644, }
  file {
    host1: source => "puppet://host1/path/to/file" path =>
"/var/www/repository/host1";
    host2: source => "puppet://host2/path/to/file" path =>
"/var/www/repository/host2";
   }
 }

and have puppetmaster on each host.

Is there a better way?

Thanks!

Luke

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

(Wow, hi Luke! LTNT!)

The standard way to do that is:
source =>
["puppet:///foo/file-$hostname","puppet:///foo/file-$lsbdistcodename","puppet:///foo/file"]
 - check for modules/foo/file-www4, then file-jaunty, then file

On Fri, Sep 18, 2009 at 4:37 PM, Luke Schierer <luke.schierer@gmail.com>
wrote:
> I am looking at migrating a set of servers from cfengine management to
> puppet management.  For the most part, the move has been relatively
straight
> forward, and I am pleased with the way that puppet''s modules have
made some
> of the things I did in cfengine2 much cleaner.  There is one thing though
> that was relatively easy in cfengine that I am not seeing a good way to
> achieve with puppet.
>
> In cfengine I defined a variable serverlist that was essentially an array
of
> hostnames. I then had the following copy block
>
> copy:
>  somehost::
>    /path/to/file/that/updates/nightly
>      server=${serverlist}
>      dest=/var/www/repository/${this}
>      mode=644 owner=apache group=wheel
>
> which caused the one host in the class somehost to copy the file from each
> server in the array serverlist to the repository.
>
> The closest I see in puppet would be to list each server source as a
> different file entry in a class.
>
> Something like (psuedo code)
>
> class pullfile {
>   File { ensure => file, owner => apache, group => wheel, mode
=> 644, }
>   file {
>     host1: source => "puppet://host1/path/to/file" path =>
> "/var/www/repository/host1";
>     host2: source => "puppet://host2/path/to/file" path =>
> "/var/www/repository/host2";
>    }
>  }
>
> and have puppetmaster on each host.
>
> Is there a better way?
>
> Thanks!
>
> Luke
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Sep 18, 2009, at 18:30 EDT, Disconnect wrote:
>
> (Wow, hi Luke! LTNT!)
Yes, it has!
>
> The standard way to do that is:
> source =>
["puppet:///foo/file-$hostname","puppet:///foo/file-$lsbdistcodename
> ","puppet:///foo/file"]
> - check for modules/foo/file-www4, then file-jaunty, then file
>
As I understood source arrays, would only grab the first one to  
succeed, Type Reference says "If you specify multiple file sources for  
a file, then the first source that exists will be used.".    Is that  
page out of date?

Luke


> On Fri, Sep 18, 2009 at 4:37 PM, Luke Schierer <luke.schierer@gmail.com 
> > wrote:
>> I am looking at migrating a set of servers from cfengine management  
>> to
>> puppet management.  For the most part, the move has been relatively  
>> straight
>> forward, and I am pleased with the way that puppet''s modules
have
>> made some
>> of the things I did in cfengine2 much cleaner.  There is one thing  
>> though
>> that was relatively easy in cfengine that I am not seeing a good  
>> way to
>> achieve with puppet.
>>
>> In cfengine I defined a variable serverlist that was essentially an  
>> array of
>> hostnames. I then had the following copy block
>>
>> copy:
>>  somehost::
>>    /path/to/file/that/updates/nightly
>>      server=${serverlist}
>>      dest=/var/www/repository/${this}
>>      mode=644 owner=apache group=wheel
>>
>> which caused the one host in the class somehost to copy the file  
>> from each
>> server in the array serverlist to the repository.
>>
>> The closest I see in puppet would be to list each server source as a
>> different file entry in a class.
>>
>> Something like (psuedo code)
>>
>> class pullfile {
>>   File { ensure => file, owner => apache, group => wheel, mode
=>
>> 644, }
>>   file {
>>     host1: source => "puppet://host1/path/to/file" path
=>
>> "/var/www/repository/host1";
>>     host2: source => "puppet://host2/path/to/file" path
=>
>> "/var/www/repository/host2";
>>    }
>>  }
>>
>> and have puppetmaster on each host.
>>
>> Is there a better way?
>>
>> Thanks!
>>
>> Luke
>
> >

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi
>> The standard way to do that is:
>> source =>
["puppet:///foo/file-$hostname","puppet:///foo/file-$lsbdistcodename
>> ","puppet:///foo/file"]
>> - check for modules/foo/file-www4, then file-jaunty, then file
>>
> 
> As I understood source arrays, would only grab the first one to  
> succeed, Type Reference says "If you specify multiple file sources for
> a file, then the first source that exists will be used.".    Is that  
> page out of date?
No and it is working like that. But TypReference says as well:

* sourceselect:

Whether to copy all valid sources, or just the first one. This parameter
is only used in recursive copies; by default, the first valid source is
the only one used as a recursive source, but if this parameter is set to
all, then all valid sources will have all of their contents copied to
the local host, and for sources that have the same file, the source
earlier in the list will be used. Valid values are first, all.

So you can have both variants.

cheers pete

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Sep 19, 2009, at 05:11 EDT, Peter Meier wrote:
>
> Hi
>
>>> The standard way to do that is:
>>> source =>
["puppet:///foo/file-$hostname","puppet:///foo/file-$lsbdistcodename
>>> ","puppet:///foo/file"]
>>> - check for modules/foo/file-www4, then file-jaunty, then file
>>>
>>
>> As I understood source arrays, would only grab the first one to
>> succeed, Type Reference says "If you specify multiple file sources
>> for
>> a file, then the first source that exists will be used.".    Is
that
>> page out of date?
>
> No and it is working like that. But TypReference says as well:
>
> * sourceselect:
>
> Whether to copy all valid sources, or just the first one. This  
> parameter
> is only used in recursive copies; by default, the first valid source  
> is
> the only one used as a recursive source, but if this parameter is  
> set to
> all, then all valid sources will have all of their contents copied to
> the local host, and for sources that have the same file, the source
> earlier in the list will be used. Valid values are first, all.
>
> So you can have both variants.
>
> cheers pete
I''d missed that.  Thanks!!

Luke


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Fri, Sep 18, 2009 at 10:08 PM, Luke Schierer <luke.schierer@gmail.com>
wrote:
> On Sep 18, 2009, at 18:30 EDT, Disconnect wrote:
>> (Wow, hi Luke! LTNT!)
> Yes, it has!
>>
>> The standard way to do that is:
>> source =>
["puppet:///foo/file-$hostname","puppet:///foo/file-$lsbdistcodename
>> ","puppet:///foo/file"]
>> - check for modules/foo/file-www4, then file-jaunty, then file
>>
>
> As I understood source arrays, would only grab the first one to
> succeed, Type Reference says "If you specify multiple file sources for
> a file, then the first source that exists will be used.".    Is that
> page out of date?
I missed that part of the problem, although it looks like Peter
covered it. Depending on what you are doing, stored configs might be a
good answer as well:
http://www.rottenbytes.info/?p=223
http://www.masterzen.fr/2009/08/08/storeconfigs-use-cases/

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Sat, Sep 19, 2009 at 7:53 AM, Luke Schierer
<luke.schierer@gmail.com>wrote:
> On Sep 19, 2009, at 05:11 EDT, Peter Meier wrote:
>
>>  The standard way to do that is:
>>>> source =>
>>>>
["puppet:///foo/file-$hostname","puppet:///foo/file-$lsbdistcodename
>>>> ","puppet:///foo/file"]
>>>> - check for modules/foo/file-www4, then file-jaunty, then file
>>>>
>>>> * sourceselect:
>>
>> Whether to copy all valid sources, or just the first one. This
parameter
>> is only used in recursive copies; by default, the first valid source is
>> the only one used as a recursive source, but if this parameter is set
to
>> all, then all valid sources will have all of their contents copied to
>> the local host, and for sources that have the same file, the source
>> earlier in the list will be used. Valid values are first, all.
>>
>> So you can have both variants.
>>
>> cheers pete
>>
> When I tried to do this with
source => [
''puppet://host1/files/target'',''puppet://host2/files/target'']
it works fine for the first host, which acts as the puppetmaster, but not
for the second one.  It complains about an unknown CA.

I realize that this is because the CA certificates differ on the two hosts,
and the certificate puppet is using to pull files is only signed by one of
the two, the one it gets its configuration from.

Is there a key or keys I can distribute to each node so that I can pull
files from all of them?

Thanks!

Luke

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

I have tried copying over the contents of the /var/lib/puppet/ssl/ca
directory, but apparently something with in it is specific to the
host, such it then complains that the certificates and keys do not
match.  I also saw
http://reductivelabs.com/trac/puppet/wiki/MultipleCertificateAuthorities,
but I do not want to put apache on each host.   With cfengine2, it was
very simple to have cfservd running on each host, distribute the keys
to each, and then pull result files from the clients to the central
server.   I cannot seem to find an example of a similar setup with
puppet.

Luke

On Sep 22, 4:30 pm, Luke Schierer <luke.schie...@gmail.com>
wrote:
> On Sat, Sep 19, 2009 at 7:53 AM, Luke Schierer
<luke.schie...@gmail.com>wrote:
>
>
>
>
>
> > On Sep 19, 2009, at 05:11 EDT, Peter Meier wrote:
>
> >>  The standard way to do that is:
> >>>> source =>
> >>>>
["puppet:///foo/file-$hostname","puppet:///foo/file-$lsbdistcodename
> >>>> ","puppet:///foo/file"]
> >>>> - check for modules/foo/file-www4, then file-jaunty, then
file
>
> >>>> * sourceselect:
>
> >> Whether to copy all valid sources, or just the first one. This
parameter
> >> is only used in recursive copies; by default, the first valid
source is
> >> the only one used as a recursive source, but if this parameter is
set to
> >> all, then all valid sources will have all of their contents copied
to
> >> the local host, and for sources that have the same file, the
source
> >> earlier in the list will be used. Valid values are first, all.
>
> >> So you can have both variants.
>
> >> cheers pete
>
> > When I tried to do this with
>
> source => [
''puppet://host1/files/target'',''puppet://host2/files/target'']
> it works fine for the first host, which acts as the puppetmaster, but not
> for the second one.  It complains about an unknown CA.
>
> I realize that this is because the CA certificates differ on the two hosts,
> and the certificate puppet is using to pull files is only signed by one of
> the two, the one it gets its configuration from.
>
> Is there a key or keys I can distribute to each node so that I can pull
> files from all of them?
>
> Thanks!
>
> Luke- Hide quoted text -
>
> - Show quoted text -
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Did you try signing your secondary puppet master as a client of the first
one?
make sure you use fqdn when referring to the second one, as its certificate
would be valid to "puppet" or its fqdn.

Ohad

On Thu, Sep 24, 2009 at 4:37 AM, lschiere <luke.schierer@gmail.com> wrote:
>
> I have tried copying over the contents of the /var/lib/puppet/ssl/ca
> directory, but apparently something with in it is specific to the
> host, such it then complains that the certificates and keys do not
> match.  I also saw
> http://reductivelabs.com/trac/puppet/wiki/MultipleCertificateAuthorities,
> but I do not want to put apache on each host.   With cfengine2, it was
> very simple to have cfservd running on each host, distribute the keys
> to each, and then pull result files from the clients to the central
> server.   I cannot seem to find an example of a similar setup with
> puppet.
>
> Luke
>
> On Sep 22, 4:30 pm, Luke Schierer <luke.schie...@gmail.com> wrote:
> > On Sat, Sep 19, 2009 at 7:53 AM, Luke Schierer
<luke.schie...@gmail.com
> >wrote:
> >
> >
> >
> >
> >
> > > On Sep 19, 2009, at 05:11 EDT, Peter Meier wrote:
> >
> > >>  The standard way to do that is:
> > >>>> source =>
> > >>>>
["puppet:///foo/file-$hostname","puppet:///foo/file-$lsbdistcodename
> > >>>> ","puppet:///foo/file"]
> > >>>> - check for modules/foo/file-www4, then file-jaunty,
then file
> >
> > >>>> * sourceselect:
> >
> > >> Whether to copy all valid sources, or just the first one.
This
> parameter
> > >> is only used in recursive copies; by default, the first valid
source
> is
> > >> the only one used as a recursive source, but if this
parameter is set
> to
> > >> all, then all valid sources will have all of their contents
copied to
> > >> the local host, and for sources that have the same file, the
source
> > >> earlier in the list will be used. Valid values are first,
all.
> >
> > >> So you can have both variants.
> >
> > >> cheers pete
> >
> > > When I tried to do this with
> >
> > source => [
''puppet://host1/files/target'',''puppet://host2/files/target'']
> > it works fine for the first host, which acts as the puppetmaster, but
not
> > for the second one.  It complains about an unknown CA.
> >
> > I realize that this is because the CA certificates differ on the two
> hosts,
> > and the certificate puppet is using to pull files is only signed by
one
> of
> > the two, the one it gets its configuration from.
> >
> > Is there a key or keys I can distribute to each node so that I can
pull
> > files from all of them?
> >
> > Thanks!
> >
> > Luke- Hide quoted text -
> >
> > - Show quoted text -
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

The secondaries are each clients of the first one.   Does the  
puppetmaster process use the same certificate as puppetd?

Luke

On Sep 23, 2009, at 21:38 EDT, Ohad Levy wrote:
> Did you try signing your secondary puppet master as a client of the  
> first one?
>
> make sure you use fqdn when referring to the second one, as its  
> certificate would be valid to "puppet" or its fqdn.
>
> Ohad
>
> On Thu, Sep 24, 2009 at 4:37 AM, lschiere <luke.schierer@gmail.com>  
> wrote:
>
> I have tried copying over the contents of the /var/lib/puppet/ssl/ca
> directory, but apparently something with in it is specific to the
> host, such it then complains that the certificates and keys do not
> match.  I also saw
http://reductivelabs.com/trac/puppet/wiki/MultipleCertificateAuthorities
> ,
> but I do not want to put apache on each host.   With cfengine2, it was
> very simple to have cfservd running on each host, distribute the keys
> to each, and then pull result files from the clients to the central
> server.   I cannot seem to find an example of a similar setup with
> puppet.
>
> Luke
>
> On Sep 22, 4:30 pm, Luke Schierer <luke.schie...@gmail.com> wrote:
> > On Sat, Sep 19, 2009 at 7:53 AM, Luke Schierer  
> <luke.schie...@gmail.com>wrote:
> >
> >
> >
> >
> >
> > > On Sep 19, 2009, at 05:11 EDT, Peter Meier wrote:
> >
> > >>  The standard way to do that is:
> > >>>> source =>
> > >>>>
["puppet:///foo/file-$hostname","puppet:///foo/file-$lsbdistcodename
> > >>>> ","puppet:///foo/file"]
> > >>>> - check for modules/foo/file-www4, then file-jaunty,
then file
> >
> > >>>> * sourceselect:
> >
> > >> Whether to copy all valid sources, or just the first one.
This
> parameter
> > >> is only used in recursive copies; by default, the first valid
> source is
> > >> the only one used as a recursive source, but if this
parameter
> is set to
> > >> all, then all valid sources will have all of their contents  
> copied to
> > >> the local host, and for sources that have the same file, the
> source
> > >> earlier in the list will be used. Valid values are first,
all.
> >
> > >> So you can have both variants.
> >
> > >> cheers pete
> >
> > > When I tried to do this with
> >
> > source => [
''puppet://host1/files/target'',''puppet://host2/files/
> target'']
> > it works fine for the first host, which acts as the puppetmaster,  
> but not
> > for the second one.  It complains about an unknown CA.
> >
> > I realize that this is because the CA certificates differ on the  
> two hosts,
> > and the certificate puppet is using to pull files is only signed  
> by one of
> > the two, the one it gets its configuration from.
> >
> > Is there a key or keys I can distribute to each node so that I can  
> pull
> > files from all of them?
> >
> > Thanks!
> >
> > Luke- Hide quoted text -
> >
> > - Show quoted text -
>
>
>
> >

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Yes it should, are you sure you contact the second puppetmaster with its
FQDN?e.g.

source => puppet://second.foor.com/module/file/....

Ohad

On Thu, Sep 24, 2009 at 2:26 PM, Luke Schierer
<luke.schierer@gmail.com>wrote:
>
> The secondaries are each clients of the first one.   Does the
> puppetmaster process use the same certificate as puppetd?
>
> Luke
>
> On Sep 23, 2009, at 21:38 EDT, Ohad Levy wrote:
>
> > Did you try signing your secondary puppet master as a client of the
> > first one?
> >
> > make sure you use fqdn when referring to the second one, as its
> > certificate would be valid to "puppet" or its fqdn.
> >
> > Ohad
> >
> > On Thu, Sep 24, 2009 at 4:37 AM, lschiere
<luke.schierer@gmail.com>
> > wrote:
> >
> > I have tried copying over the contents of the /var/lib/puppet/ssl/ca
> > directory, but apparently something with in it is specific to the
> > host, such it then complains that the certificates and keys do not
> > match.  I also saw
> http://reductivelabs.com/trac/puppet/wiki/MultipleCertificateAuthorities
> > ,
> > but I do not want to put apache on each host.   With cfengine2, it was
> > very simple to have cfservd running on each host, distribute the keys
> > to each, and then pull result files from the clients to the central
> > server.   I cannot seem to find an example of a similar setup with
> > puppet.
> >
> > Luke
> >
> > On Sep 22, 4:30 pm, Luke Schierer <luke.schie...@gmail.com>
wrote:
> > > On Sat, Sep 19, 2009 at 7:53 AM, Luke Schierer
> > <luke.schie...@gmail.com>wrote:
> > >
> > >
> > >
> > >
> > >
> > > > On Sep 19, 2009, at 05:11 EDT, Peter Meier wrote:
> > >
> > > >>  The standard way to do that is:
> > > >>>> source =>
> > > >>>>
>
["puppet:///foo/file-$hostname","puppet:///foo/file-$lsbdistcodename
> > > >>>> ","puppet:///foo/file"]
> > > >>>> - check for modules/foo/file-www4, then
file-jaunty, then file
> > >
> > > >>>> * sourceselect:
> > >
> > > >> Whether to copy all valid sources, or just the first
one. This
> > parameter
> > > >> is only used in recursive copies; by default, the first
valid
> > source is
> > > >> the only one used as a recursive source, but if this
parameter
> > is set to
> > > >> all, then all valid sources will have all of their
contents
> > copied to
> > > >> the local host, and for sources that have the same file,
the
> > source
> > > >> earlier in the list will be used. Valid values are
first, all.
> > >
> > > >> So you can have both variants.
> > >
> > > >> cheers pete
> > >
> > > > When I tried to do this with
> > >
> > > source => [
''puppet://host1/files/target'',''puppet://host2/files/
> > target'']
> > > it works fine for the first host, which acts as the puppetmaster,
> > but not
> > > for the second one.  It complains about an unknown CA.
> > >
> > > I realize that this is because the CA certificates differ on the
> > two hosts,
> > > and the certificate puppet is using to pull files is only signed
> > by one of
> > > the two, the one it gets its configuration from.
> > >
> > > Is there a key or keys I can distribute to each node so that I
can
> > pull
> > > files from all of them?
> > >
> > > Thanks!
> > >
> > > Luke- Hide quoted text -
> > >
> > > - Show quoted text -
> >
> >
> >
> > >
>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

I have the following snippet I am using to test with the puppet command

node host1 {

 file { "/var/www/target":
  path  => "/var/www/target",
  mode  => 570,
  owner  => apache,
  group  => wheel,
  ensure  => directory,
  recurse  => inf,
  sourceselect => all,
  source  => [
   "puppet://host2.fully.qualified.tld/target_results/recent"
  ],
 }
}

I run this on host1 with the command
puppet --verbose --server host1.fully.qualified.tld test.pp | more
and the error I get is
err: //Node[host1]/File[/var/www/target]: Failed to generate additional
resources during transaction: Certificates were not trusted: tlsv1 alert
unknown ca
err: //Node[host1]/File[/var/www/target]: Failed to retrieve current state
of resource: Certificates were not trusted: tlsv1 alert unkown ca Could not
descript /target_results/recent: /etc/puppet/test.pp:16

if I change host1 to host1 in the source array, it works.  If I list both,
it will produce more or less the same results if host2 is listed first, but
it will pull the host1 results before printing the error if host1 is listed
first.

 in the above output and snippet, I have changed the hostnames, but yes, I
have verfied that I am using the fqdn, and that it is spelled correctly.  My
hosts are on a closed network, so I''ve had to transfer the output by
hand.

Thanks!
Luke

On Thu, Sep 24, 2009 at 2:52 AM, Ohad Levy <ohadlevy@gmail.com> wrote:
> Yes it should, are you sure you contact the second puppetmaster with its
> FQDN? e.g.
>
> source =>
puppet://second.foor.com/module/file/..<http://second.foor.com/module/>
> ..
>
> Ohad
>
>
> On Thu, Sep 24, 2009 at 2:26 PM, Luke Schierer
<luke.schierer@gmail.com>wrote:
>
>>
>> The secondaries are each clients of the first one.   Does the
>> puppetmaster process use the same certificate as puppetd?
>>
>> Luke
>>
>> On Sep 23, 2009, at 21:38 EDT, Ohad Levy wrote:
>>
>> > Did you try signing your secondary puppet master as a client of
the
>> > first one?
>> >
>> > make sure you use fqdn when referring to the second one, as its
>> > certificate would be valid to "puppet" or its fqdn.
>> >
>> > Ohad
>> >
>> > On Thu, Sep 24, 2009 at 4:37 AM, lschiere
<luke.schierer@gmail.com>
>> > wrote:
>> >
>> > I have tried copying over the contents of the
/var/lib/puppet/ssl/ca
>> > directory, but apparently something with in it is specific to the
>> > host, such it then complains that the certificates and keys do not
>> > match.  I also saw
>>
http://reductivelabs.com/trac/puppet/wiki/MultipleCertificateAuthorities
>> > ,
>> > but I do not want to put apache on each host.   With cfengine2, it
was
>> > very simple to have cfservd running on each host, distribute the
keys
>> > to each, and then pull result files from the clients to the
central
>> > server.   I cannot seem to find an example of a similar setup with
>> > puppet.
>> >
>> > Luke
>> >
>> > On Sep 22, 4:30 pm, Luke Schierer <luke.schie...@gmail.com>
wrote:
>> > > On Sat, Sep 19, 2009 at 7:53 AM, Luke Schierer
>> > <luke.schie...@gmail.com>wrote:
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > > On Sep 19, 2009, at 05:11 EDT, Peter Meier wrote:
>> > >
>> > > >>  The standard way to do that is:
>> > > >>>> source =>
>> > > >>>>
>>
["puppet:///foo/file-$hostname","puppet:///foo/file-$lsbdistcodename
>> > > >>>> ","puppet:///foo/file"]
>> > > >>>> - check for modules/foo/file-www4, then
file-jaunty, then file
>> > >
>> > > >>>> * sourceselect:
>> > >
>> > > >> Whether to copy all valid sources, or just the first
one. This
>> > parameter
>> > > >> is only used in recursive copies; by default, the
first valid
>> > source is
>> > > >> the only one used as a recursive source, but if this
parameter
>> > is set to
>> > > >> all, then all valid sources will have all of their
contents
>> > copied to
>> > > >> the local host, and for sources that have the same
file, the
>> > source
>> > > >> earlier in the list will be used. Valid values are
first, all.
>> > >
>> > > >> So you can have both variants.
>> > >
>> > > >> cheers pete
>> > >
>> > > > When I tried to do this with
>> > >
>> > > source => [
''puppet://host1/files/target'',''puppet://host2/files/
>> > target'']
>> > > it works fine for the first host, which acts as the
puppetmaster,
>> > but not
>> > > for the second one.  It complains about an unknown CA.
>> > >
>> > > I realize that this is because the CA certificates differ on
the
>> > two hosts,
>> > > and the certificate puppet is using to pull files is only
signed
>> > by one of
>> > > the two, the one it gets its configuration from.
>> > >
>> > > Is there a key or keys I can distribute to each node so that
I can
>> > pull
>> > > files from all of them?
>> > >
>> > > Thanks!
>> > >
>> > > Luke- Hide quoted text -
>> > >
>> > > - Show quoted text -
>> >
>> >
>> >
>> > >
>>
>>
>>
>>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Thu, Sep 24, 2009 at 11:43 AM, Luke Schierer
<luke.schierer@gmail.com>wrote:
> I have the following snippet I am using to test with the puppet command
>
> node host1 {
>
>  file { "/var/www/target":
>   path  => "/var/www/target",
>   mode  => 570,
>   owner  => apache,
>   group  => wheel,
>   ensure  => directory,
>   recurse  => inf,
>   sourceselect => all,
>   source  => [
>    "puppet://host2.fully.qualified.tld/target_results/recent"
>   ],
>  }
> }
>
> I run this on host1 with the command
> puppet --verbose --server host1.fully.qualified.tld test.pp | more
> and the error I get is
> err: //Node[host1]/File[/var/www/target]: Failed to generate additional
> resources during transaction: Certificates were not trusted: tlsv1 alert
> unknown ca
> err: //Node[host1]/File[/var/www/target]: Failed to retrieve current state
> of resource: Certificates were not trusted: tlsv1 alert unkown ca Could not
> descript /target_results/recent: /etc/puppet/test.pp:16
>
> if I change host1 to host1 in the source array, it works.  If I list both,
> it will produce more or less the same results if host2 is listed first, but
> it will pull the host1 results before printing the error if host1 is listed
> first.
>
>  in the above output and snippet, I have changed the hostnames, but yes, I
> have verfied that I am using the fqdn, and that it is spelled correctly. 
My
> hosts are on a closed network, so I''ve had to transfer the output
by hand.
>
> Thanks!
> Luke
>
>   On Thu, Sep 24, 2009 at 2:52 AM, Ohad Levy <ohadlevy@gmail.com>
wrote:
>
>> Yes it should, are you sure you contact the second puppetmaster with
its
>> FQDN? e.g.
>>
>> source =>
puppet://second.foor.com/module/file/..<http://second.foor.com/module/>
>> ..
>>
>> Ohad
>>
>
I am still unable to get this to work.  I have tried adding
ca = false
cacrl = false
ca_server = host1.fully.qualified.tld

to the puppet.conf file on host2, but I still get the same error.   I also
tried uninstalling the puppet-server rpm, removing the /var/lib/puppet/ca
directory, re-installing pupet-server, and then starting it.

I started the puppetmasterd on the command line on host2 with --no-daemonize
--debug --verbose, and while I see it listening, I see nothing as host1
attempts to connect to it.  The certificate in the /var/lib/puppet/ssl/certs
directory checks out fine with openssl verify using the ca certificate from
host1.

Any ideas on how to make this work would be very welcome.

Thanks!

Luke

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Fri, Sep 25, 2009 at 1:23 PM, Luke Schierer
<luke.schierer@gmail.com>wrote:
>   On Thu, Sep 24, 2009 at 11:43 AM, Luke Schierer
<luke.schierer@gmail.com
> > wrote:
>
>> I have the following snippet I am using to test with the puppet command
>>
>> node host1 {
>>
>>  file { "/var/www/target":
>>   path  => "/var/www/target",
>>   mode  => 570,
>>   owner  => apache,
>>   group  => wheel,
>>   ensure  => directory,
>>   recurse  => inf,
>>   sourceselect => all,
>>   source  => [
>>    "puppet://host2.fully.qualified.tld/target_results/recent"
>>   ],
>>  }
>> }
>>
>> I run this on host1 with the command
>> puppet --verbose --server host1.fully.qualified.tld test.pp | more
>> and the error I get is
>> err: //Node[host1]/File[/var/www/target]: Failed to generate additional
>> resources during transaction: Certificates were not trusted: tlsv1
alert
>> unknown ca
>> err: //Node[host1]/File[/var/www/target]: Failed to retrieve current
state
>> of resource: Certificates were not trusted: tlsv1 alert unkown ca Could
not
>> descript /target_results/recent: /etc/puppet/test.pp:16
>>
>> if I change host1 to host1 in the source array, it works.  If I list
both,
>> it will produce more or less the same results if host2 is listed first,
but
>> it will pull the host1 results before printing the error if host1 is
listed
>> first.
>>
>>  in the above output and snippet, I have changed the hostnames, but
yes, I
>> have verfied that I am using the fqdn, and that it is spelled
correctly.  My
>> hosts are on a closed network, so I''ve had to transfer the
output by hand.
>>
>> Thanks!
>> Luke
>>
>>   On Thu, Sep 24, 2009 at 2:52 AM, Ohad Levy <ohadlevy@gmail.com>
wrote:
>>
>>> Yes it should, are you sure you contact the second puppetmaster
with its
>>> FQDN? e.g.
>>>
>>> source =>
puppet://second.foor.com/module/file/..<http://second.foor.com/module/>
>>> ..
>>>
>>> Ohad
>>>
>>
> I am still unable to get this to work.  I have tried adding
> ca = false
> cacrl = false
> ca_server = host1.fully.qualified.tld
>
>
I have a partial solution,  I set ca = false and ca_server
host1.fully.qualified.tld  in the puppet.conf file.  I then remove the
puppet-server rpm.  I then ensure that /var/lib/puppet/ca/ca_crt.pem and
/var/lib/puppet/ca/ca_crl.pem are the same as those from host1.  I then make
sure that they are owned by the puppet user.  I then re-install the
puppet-server rpm.

This works for my redhat 5 machines, I''m able to pull from the array of
sources.  However, it does n work for redhat 4 machines.  If a redhat 4
machine is listed in the array, I get

err: Could not call fileserver.list: #<NoMethodError: prive method
''split''
called for nil.NilClass>
err: //Node[host1]/File[/path/to/target]: Failed to generate additional
resources durring transaction

Both the redhat 4 and the redhat 5 machines are 64bit installs.  the rhel4
machines have puppet and puppet-server 0.24.8-4.el4 and the rhel5 machines
have 0.24.8-4.el5, both from the EPEL repository.

Any advice would be appreciated.

Thanks!
Luke

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Fri, Sep 25, 2009 at 4:04 PM, Luke Schierer
<luke.schierer@gmail.com>wrote:
>
> This works for my redhat 5 machines, I''m able to pull from the
array of
> sources.  However, it does n work for redhat 4 machines.  If a redhat 4
> machine is listed in the array, I get
>
> err: Could not call fileserver.list: #<NoMethodError: prive method
''split''
> called for nil.NilClass>
> err: //Node[host1]/File[/path/to/target]: Failed to generate additional
> resources durring transaction
>
>
I am still unable to figure out why puppetd on rhel5  can pull from a
puppetmaster on rhel5 but not a puppetmaster on rhel4.   Again, any help
would be greatly appreciated.

Luke

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Mon, Sep 28, 2009 at 3:12 PM, Luke Schierer
<luke.schierer@gmail.com>wrote:
>
>
>  On Fri, Sep 25, 2009 at 4:04 PM, Luke Schierer
<luke.schierer@gmail.com>wrote:
>
>>
>> This works for my redhat 5 machines, I''m able to pull from the
array of
>> sources.  However, it does n work for redhat 4 machines.  If a redhat 4
>> machine is listed in the array, I get
>>
>> err: Could not call fileserver.list: #<NoMethodError: prive method
''split''
>> called for nil.NilClass>
>> err: //Node[host1]/File[/path/to/target]: Failed to generate additional
>> resources durring transaction
>>
>>
>
> I am still unable to figure out why puppetd on rhel5  can pull from a
> puppetmaster on rhel5 but not a puppetmaster on rhel4.   Again, any help
> would be greatly appreciated.
>
> Luke
>
After some googling and reading through the wiki, I found that puppet
apparently has some issues with ruby 1.8.1, which is what comes with rhel4.
I pulled some centos rpms of ruby 1.8.5 from the centos 4 testing
repository, and restarted the puppetmasterd and puppetd processes.  I still
get the error about no private method ''split''.

I could really use some advice here on what I might be doing wrong.

Thanks!

Luke

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---