Hi,
I haveA class with several ssh_key resources:
class web_cluster::ssh_keys( $ensure=''present'') {
if ! ($ensure in [ "present", "absent" ]) {
fail("cluster ensure parameter must be absent or
present")
}
# Set local variables based on the desired state
if ($ensure == "present") {
$service_enable = true
$service_ensure = running
$package_ensure = latest
$file_ensure = file
$user_ensure = present
}elsif ($ensure == "absent") {
$service_enable = false
$service_ensure = stopped
$package_ensure = absent
$file_ensure = absent
$user_ensure = absent
}
Ssh_authorized_key {
type => ''ssh-rsa'',
}
ssh_authorized_key {
[...]
''user@key_3'':
ensure => $hostname ? {
/host/ => $user_ensure,
default => absent,
},
user => ''www-bi'',
key =>
''XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx1zKQ=='';
}
and every time I run puppet it says:
notice:
/Stage[main]/Web_cluster::Ssh_keys/Ssh_authorized_key[user@key_3]/ensure:
created
notice: Finished catalog run in 15.78 seconds
but I only have a key there:
$ cat .ssh/authorized_keys
# HEADER: This file was autogenerated at Tue Apr 23 11:27:37 +0200 2013
# HEADER: by puppet. While it can still be managed manually, it
# HEADER: is definitely not recommended.
ssh-rsa xxxxxxxx user@key_3
Running it with debug:
notice:
/Stage[main]/Web_cluster::Ssh_keys/Ssh_authorized_key[user@key_3]/ensure:
created
debug: Flushing ssh_authorized_key provider target
/data/www-bi/.ssh/authorized_keys
debug: /Stage[main]/Web_cluster::Ssh_keys/Ssh_authorized_key[user@key_3]: The
container Class[Web_cluster::Ssh_keys] will propagate my refresh event
I cannot figure out why puppet is pushing the key everytime it runs.
I happens with other keys in other servers.
Could it be becuase of some strange charactes in the key?
# rpm -qa|grep puppet
puppet-2.7.21-1.el6.noarch
TIA,
Arnau
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
On Tuesday, April 23, 2013 4:45:59 AM UTC-5, Arnau wrote:> > Hi, > > I haveA class with several ssh_key resources: > > class web_cluster::ssh_keys( $ensure=''present'') { > if ! ($ensure in [ "present", "absent" ]) { > fail("cluster ensure parameter must be absent or present") > } > > # Set local variables based on the desired state > > if ($ensure == "present") { > $service_enable = true > $service_ensure = running > $package_ensure = latest > $file_ensure = file > $user_ensure = present > }elsif ($ensure == "absent") { > $service_enable = false > $service_ensure = stopped > $package_ensure = absent > $file_ensure = absent > $user_ensure = absent > } > > Ssh_authorized_key { > type => ''ssh-rsa'', > } > > ssh_authorized_key { > > [...] > ''user@key_3'': > ensure => $hostname ? { > /host/ => $user_ensure, > default => absent, > }, > user => ''www-bi'', > key => ''XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx1zKQ==''; > } > > > and every time I run puppet it says: > > notice: > /Stage[main]/Web_cluster::Ssh_keys/Ssh_authorized_key[user@key_3]/ensure: > created > notice: Finished catalog run in 15.78 seconds > > but I only have a key there: > > > $ cat .ssh/authorized_keys > # HEADER: This file was autogenerated at Tue Apr 23 11:27:37 +0200 2013 > # HEADER: by puppet. While it can still be managed manually, it > # HEADER: is definitely not recommended. > ssh-rsa xxxxxxxx user@key_3 > > > Running it with debug: > > > notice: > /Stage[main]/Web_cluster::Ssh_keys/Ssh_authorized_key[user@key_3]/ensure: > created > debug: Flushing ssh_authorized_key provider target > /data/www-bi/.ssh/authorized_keys > debug: /Stage[main]/Web_cluster::Ssh_keys/Ssh_authorized_key[user@key_3]: > The container Class[Web_cluster::Ssh_keys] will propagate my refresh event > > > I cannot figure out why puppet is pushing the key everytime it runs. > I happens with other keys in other servers. > Could it be becuase of some strange charactes in the key? > > # rpm -qa|grep puppet > puppet-2.7.21-1.el6.noarch > >Puppet appears to not be correctly matching the existing key line to the declared resource. Inasmuch as Puppet wrote the key line in the first place, this is almost certainly caused by some characteristic of the data supplied to it (i.e. the resource properties), most likely the key. Puppet parses the line via this regular expression: /^(?:(.+) )?(ssh-dss|ssh-rsa|ecdsa-sha2-nistp256|ecdsa-sha2-nistp384|ecdsa-sha2-nistp521) ([^ ]+) ?(.*)$/ The most likely way I can see for that to break is if the key contains any space characters, especially internal or trailing ones. Be sure to check both the key file and the manifest. You can also try manually matching the key line with that regex in irb to check how it is being parsed. If you''re running Puppet on Ruby 1.9 then there''s an outside chance that the problem arises from some kind of encoding mismatch. That''s pretty unlikely, but there has to be some explanation for why Puppet does not correctly read back the key line that it wrote itself. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Alternatively, are you sure that authorized key file is still present when the next run occurs? Could it be changed or removed by some other process, or even by Puppet itself? John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Hi, the key is not the problem (i copy it into 3 users'' home and only one complained). What''s special about thta one user? it''s home. it''s nfs and had file permission problems. Solved. Thanks a lot! Cheers, Arnau -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.