Puppet users - Nov 2013 - Feeding errors back from custom ENC scripts

Hi All,

I''m looking at integrating our Puppet 2.7.21 setup with an internal
change
management system.  Essentially I need the master to check there is an open 
change window for a given node, and fail the run if not.

I don''t want to have to have a custom configuration on all the nodes
(and
this probably wouldn''t be secure anyway), so plugging this check in
during
the ENC stage seemed to make sense to me.

I''d like to be able to fail the run with a message back to the agent
e.g.
''no valid change window open''.  The problem is, as far as I
can see, it is
not possible to propagate any custom errors back to the master.  It looks 
like the only error is e.g. ''could not find node xxx'' or
similar.  Even
replacing the terminus with a custom one doesn''t appear to help as this
cover-all error looks to be generated in the catalogue compiler.

Does this sound right? Anyone got an ideas if it would be possible to fail 
runs with a custom error from within the puppet master?  Failing from 
within the manifests themselves wouldn''t be an option as they are under
the
control of the users, and so the check could be circumvented.

Dave

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/73d9ced2-fb17-41c7-98ac-0719cad3401d%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

On Wednesday, November 6, 2013 12:49:27 PM UTC-6, David Gordon
wrote:
>
> Hi All,
>
> I''m looking at integrating our Puppet 2.7.21 setup with an
internal change
> management system.  Essentially I need the master to check there is an open
> change window for a given node, and fail the run if not.
>
> I don''t want to have to have a custom configuration on all the
nodes (and
> this probably wouldn''t be secure anyway), so plugging this check
in during
> the ENC stage seemed to make sense to me.
>
> I''d like to be able to fail the run with a message back to the
agent e.g.
> ''no valid change window open''.  The problem is, as far as
I can see, it is
> not possible to propagate any custom errors back to the master.  It looks 
> like the only error is e.g. ''could not find node xxx'' or
similar.  Even
> replacing the terminus with a custom one doesn''t appear to help as
this
> cover-all error looks to be generated in the catalogue compiler.
>
> Does this sound right? Anyone got an ideas if it would be possible to fail 
> runs with a custom error from within the puppet master?  Failing from 
> within the manifests themselves wouldn''t be an option as they are
under the
> control of the users, and so the check could be circumvented.
>
>
Do you need a bona fide error to be generated, or would it be sufficient to 
deliver a catalog containing only a notification message?  For example, 
given the following class available on your master,

class site::no_window {
  notify { ''no valid change window open'': }
}

, if the ENC determines that it is outside any change window for the target 
node then its output can be simply

classes:
  - site::no_window

.  Supposing that you have neither any global declarations nor a node block 
for the target node, that will result in no changes to the target, except 
possibly Puppet plugin synchronization.  The notify message will appear in 
Puppet''s output.


John

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/d09362d2-088f-4bdf-856d-96433fab3a9d%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.