Hello, I am not exactly sure how to phrase this, but consider the following: case $::role { ''access'': { notify {"Applying access packages" :} include access_packages freebsd::rc_conf { ''test'' : value => ''yes'', ensure => ''present'' } openvpn::server {''winterthur'' : country => ''CH'', province => ''ZH'', city => ''Winterthur'', organization => ''example.org'', email => ''root@example.org'', server => ''10.200.200.0 255.255.255.0''} } ''client'': { notify {"Applying client config" :} openvpn::client { ''client1'': server => "winterthur" } } } What I am trying to do in ''client'' case is reference the server that was defined in the ''access'' case. Is this possible? The openvpn module here; https://github.com/luxflux/puppet-openvpn contains some examples and such that lead me to believe there should be a reference, but it seems like that only is applicable if they have the same scope. How would I go about storing off the ''winterthur'' openvpn::server for use by the clients later? Puppet''s class variable access and scoping in general are a little confusing to me at this point. I tried the obvious assigning a $variable but that didn''t work either. Also, looking at the openvpn code, it seems like openvpn::server is "define"d instead of using the class keyword. does this make a difference? Thanks -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/9de48764-707d-4529-a018-42a4782310f3%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Matthew Barr
2013-Dec-10 06:25 UTC
Re: [Puppet Users] Access class results variables in puppet
In this case, you’ve got 2 issues. 1, most of that data would, ideally, be in Hiera. But, with a defined type, you can’t use the parameterized classes lookup. 2. That case statement means that the catalog for the system with “client" doesn’t even know anything about the “access" resources. I’d suggest in this case: (but I’m not loving the code design, to be honest. Look under the example for more. $vpn_server = ‘winterthur'' case $::role { ''access'': { <snip> openvpn::server {“$vpn_server" : country => ''CH'', province => ''ZH'', city => ''Winterthur'', organization => ''example.org'', email => ''root@example.org'', server => ''10.200.200.0 255.255.255.0''} } ''client'': { notify {"Applying client config" :} openvpn::client { ''client1'': server => “$vpn_server" } } } This screams for a better separation, to me. Unless you only have 1 set of servers & clients… — Maybe use a class, with the parameters pulling in the details from hiera, and using the variable parameters in the code. — they would include city,province, server_ip, email, country. Matthew Barr mbarr@mbarr.net c: (646) 727-0535 On Dec 9, 2013, at 5:32 PM, Derek Cole <derek.cole@gmail.com> wrote:> Hello, > > I am not exactly sure how to phrase this, but consider the following: > > case $::role { > ''access'': { > notify {"Applying access packages" :} > include access_packages > > freebsd::rc_conf { ''test'' : > value => ''yes'', > ensure => ''present'' > } > openvpn::server {''winterthur'' : > country => ''CH'', > province => ''ZH'', > city => ''Winterthur'', > organization => ''example.org'', > email => ''root@example.org'', > server => ''10.200.200.0 255.255.255.0''} > > } > ''client'': { > notify {"Applying client config" :} > openvpn::client { ''client1'': > server => "winterthur" > } > > } > } > > > What I am trying to do in ''client'' case is reference the server that was defined in the ''access'' case. Is this possible? The openvpn module here; https://github.com/luxflux/puppet-openvpn > > contains some examples and such that lead me to believe there should be a reference, but it seems like that only is applicable if they have the same scope. How would I go about storing off the ''winterthur'' openvpn::server for use by the clients later? Puppet''s class variable access and scoping in general are a little confusing to me at this point. I tried the obvious assigning a $variable but that didn''t work either. Also, looking at the openvpn code, it seems like openvpn::server is "define"d instead of using the class keyword. does this make a difference? > > Thanks > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/9de48764-707d-4529-a018-42a4782310f3%40googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/57B1DC95-1CDD-4E70-AFF6-120AC2C75234%40mbarr.net. For more options, visit https://groups.google.com/groups/opt_out.
Derek Cole
2013-Dec-12 00:12 UTC
Re: [Puppet Users] Access class results variables in puppet
I see what you''re saying about the design of the code. The suggested workaround you proposed doesn''t work. It''s the same as if I just have the literal in there. Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not find resource ''Openvpn::Server[winterthur]'' for relationship on ''Openvpn::Client[client1]'' on node 28ae5ab6-e8f4-4da1-bae3-4df3ce94a6fe.cs1cloud.internal Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run I think I just realized something about the library after looking at the dependencies in the client code. This module actually just generates all of the configs but i dont think is meant to actually be used to deploy onto a virtual machine. The end result if I run this on a specific node is that I end up with an importable openvpn profile. I was under the impression that the openvpn::client name actually installed the profile on the actual remote node. I guess I am going to need a separate process to import that openvpn profile on a specific node that is a client node. The end goal here is to automatically provision a node that is a server, and a few nodes that connect to that server with openvpn. This module won''t actually do all of that like I thought. -Derek On Tuesday, December 10, 2013 1:25:05 AM UTC-5, Matthew Barr wrote:> > In this case, you’ve got 2 issues. > > 1, most of that data would, ideally, be in Hiera. But, with a defined > type, you can’t use the parameterized classes lookup. > > 2. That case statement means that the catalog for the system with “client" > doesn’t even know anything about the “access" resources. > > I’d suggest in this case: (but I’m not loving the code design, to be > honest. Look under the example for more. > > > > $vpn_server = ‘winterthur'' > > case $::role { > ''access'': { > <snip> > openvpn::server {“$vpn_server" : > country => ''CH'', > province => ''ZH'', > city => ''Winterthur'', > organization => ''example.org'', > email => ''ro...@example.org <javascript:>'', > > server => ''10.200.200.0 255.255.255.0''} > > } > ''client'': { > notify {"Applying client config" :} > openvpn::client { ''client1'': > server => “$vpn_server" > } > > } > } > > This screams for a better separation, to me. Unless you only have 1 set > of servers & clients… > — Maybe use a class, with the parameters pulling in the details from > hiera, and using the variable parameters in the code. > — they would include city,province, server_ip, email, country. > > > > > > Matthew Barr > mb...@mbarr.net <javascript:> > c: (646) 727-0535 > > On Dec 9, 2013, at 5:32 PM, Derek Cole <derek...@gmail.com <javascript:>> > wrote: > > > Hello, > > > > I am not exactly sure how to phrase this, but consider the following: > > > > case $::role { > > ''access'': { > > notify {"Applying access packages" :} > > include access_packages > > > > freebsd::rc_conf { ''test'' : > > value => ''yes'', > > ensure => ''present'' > > } > > openvpn::server {''winterthur'' : > > country => ''CH'', > > province => ''ZH'', > > city => ''Winterthur'', > > organization => ''example.org'', > > email => ''ro...@example.org <javascript:>'', > > > server => ''10.200.200.0 255.255.255.0''} > > > > } > > ''client'': { > > notify {"Applying client config" :} > > openvpn::client { ''client1'': > > server => "winterthur" > > } > > > > } > > } > > > > > > What I am trying to do in ''client'' case is reference the server that was > defined in the ''access'' case. Is this possible? The openvpn module here; > https://github.com/luxflux/puppet-openvpn > > > > contains some examples and such that lead me to believe there should be > a reference, but it seems like that only is applicable if they have the > same scope. How would I go about storing off the ''winterthur'' > openvpn::server for use by the clients later? Puppet''s class variable > access and scoping in general are a little confusing to me at this point. I > tried the obvious assigning a $variable but that didn''t work either. Also, > looking at the openvpn code, it seems like openvpn::server is "define"d > instead of using the class keyword. does this make a difference? > > > > Thanks > > > > -- > > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to puppet-users...@googlegroups.com <javascript:>. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/9de48764-707d-4529-a018-42a4782310f3%40googlegroups.com. > > > For more options, visit https://groups.google.com/groups/opt_out. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/8377c983-942a-4406-8e2e-d9550a08c84b%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Jeff Bachtel
2013-Dec-12 00:49 UTC
Re: [Puppet Users] Access class results variables in puppet
In the case of the module you''re using ( https://github.com/luxflux/puppet-openvpn it appears) and you seem to have already understood this, the client resource has a hard dependency on files that should only exist on the server (due to client cert generation process). All is really not lost, though. Because the openvpn::client script generates two files for the openvpn configuration, you can easily enough do: case $::role { ''access'': { notify {"Applying access packages" :} include access_packages freebsd::rc_conf { ''test'' : value => ''yes'', ensure => ''present'' } openvpn::server {''winterthur'' : country => ''CH'', province => ''ZH'', city => ''Winterthur'', organization => ''example.org'', email => ''root@example.org'', server => ''10.200.200.0 255.255.255.0''} openvpn::client { ''client1'': server => "winterthur" } -> @@file { ''/etc/openvpn/winterthur/download-configs/client1.ovpn'' } openvpn::client_specific_config { ''client1'': server => "winterthur" } -> @@file { ''/etc/openvpn/winterthur/client-configs/client1'' } } ''client'': { notify {"Applying client config" :} File <<| name == ''/etc/openvpn/winterthur/download-configs/client1.ovpn'' |>> File <<| name == ''/etc/openvpn/winterthur/client-configs/client1'' |>> } } This will instantiate the files on your client (assuming the server has applied its manifest successfully) and it can then be the target of an actual openvpn client configuration. Note that you''ll have to do the latter yourself, as the module you''re using doesn''t seem to actually handle OpenVPN client package installation. The more traditionally puppet way to handle this would be to have the CA or delegate CA on the puppet server itself, and have it write out such keys to some place like /etc/puppet/keydist/$fqdn for hosts to pull down using normal puppet:/// fileserver syntax. I''ve not tested my above code, and haven''t reviewed the module from luxflux enough to guarantee that it will work for you. It''d definitely require some investigation, as you''re extending the module a bit beyond its original intent. Jeff On 12/09/2013 05:32 PM, Derek Cole wrote:> Hello, > > I am not exactly sure how to phrase this, but consider the following: > > case $::role { > ''access'': { > notify {"Applying access packages" :} > include access_packages > > freebsd::rc_conf { ''test'' : > value => ''yes'', > ensure => ''present'' > } > openvpn::server {''winterthur'' : > country => ''CH'', > province => ''ZH'', > city => ''Winterthur'', > organization => ''example.org'', > email => ''root@example.org'', > server => ''10.200.200.0 255.255.255.0''} > > } > ''client'': { > notify {"Applying client config" :} > openvpn::client { ''client1'': > server => "winterthur" > } > > } > } > > > What I am trying to do in ''client'' case is reference the server that > was defined in the ''access'' case. Is this possible? The openvpn module > here; https://github.com/luxflux/puppet-openvpn > > contains some examples and such that lead me to believe there should > be a reference, but it seems like that only is applicable if they have > the same scope. How would I go about storing off the ''winterthur'' > openvpn::server for use by the clients later? Puppet''s class variable > access and scoping in general are a little confusing to me at this > point. I tried the obvious assigning a $variable but that didn''t work > either. Also, looking at the openvpn code, it seems like > openvpn::server is "define"d instead of using the class keyword. does > this make a difference? > > Thanks > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to puppet-users+unsubscribe@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/9de48764-707d-4529-a018-42a4782310f3%40googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52A90812.5080606%40bericotechnologies.com. For more options, visit https://groups.google.com/groups/opt_out.