Hello,
I am not exactly sure how to phrase this, but consider the following:
case $::role {
''access'': {
notify {"Applying access packages" :}
include access_packages
freebsd::rc_conf { ''test'' :
value => ''yes'',
ensure => ''present''
}
openvpn::server {''winterthur'' :
country => ''CH'',
province => ''ZH'',
city => ''Winterthur'',
organization => ''example.org'',
email => ''root@example.org'',
server => ''10.200.200.0
255.255.255.0''}
}
''client'': {
notify {"Applying client config" :}
openvpn::client { ''client1'':
server => "winterthur"
}
}
}
What I am trying to do in ''client'' case is reference the
server that was
defined in the ''access'' case. Is this possible? The openvpn
module here;
https://github.com/luxflux/puppet-openvpn
contains some examples and such that lead me to believe there should be a
reference, but it seems like that only is applicable if they have the same
scope. How would I go about storing off the ''winterthur''
openvpn::server
for use by the clients later? Puppet''s class variable access and
scoping in
general are a little confusing to me at this point. I tried the obvious
assigning a $variable but that didn''t work either. Also, looking at the
openvpn code, it seems like openvpn::server is "define"d instead of
using
the class keyword. does this make a difference?
Thanks
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/9de48764-707d-4529-a018-42a4782310f3%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Matthew Barr
2013-Dec-10 06:25 UTC
Re: [Puppet Users] Access class results variables in puppet
In this case, you’ve got 2 issues.
1, most of that data would, ideally, be in Hiera. But, with a defined type,
you can’t use the parameterized classes lookup.
2. That case statement means that the catalog for the system with “client"
doesn’t even know anything about the “access" resources.
I’d suggest in this case: (but I’m not loving the code design, to be honest.
Look under the example for more.
$vpn_server = ‘winterthur''
case $::role {
''access'': {
<snip>
openvpn::server {“$vpn_server" :
country => ''CH'',
province => ''ZH'',
city => ''Winterthur'',
organization => ''example.org'',
email => ''root@example.org'',
server => ''10.200.200.0
255.255.255.0''}
}
''client'': {
notify {"Applying client config" :}
openvpn::client { ''client1'':
server => “$vpn_server"
}
}
}
This screams for a better separation, to me. Unless you only have 1 set of
servers & clients…
— Maybe use a class, with the parameters pulling in the details from hiera, and
using the variable parameters in the code.
— they would include city,province, server_ip, email, country.
Matthew Barr
mbarr@mbarr.net
c: (646) 727-0535
On Dec 9, 2013, at 5:32 PM, Derek Cole <derek.cole@gmail.com> wrote:
> Hello,
>
> I am not exactly sure how to phrase this, but consider the following:
>
> case $::role {
> ''access'': {
> notify {"Applying access packages" :}
> include access_packages
>
> freebsd::rc_conf { ''test'' :
> value => ''yes'',
> ensure => ''present''
> }
> openvpn::server {''winterthur'' :
> country => ''CH'',
> province => ''ZH'',
> city => ''Winterthur'',
> organization => ''example.org'',
> email =>
''root@example.org'',
> server => ''10.200.200.0
255.255.255.0''}
>
> }
> ''client'': {
> notify {"Applying client config" :}
> openvpn::client { ''client1'':
> server => "winterthur"
> }
>
> }
> }
>
>
> What I am trying to do in ''client'' case is reference the
server that was defined in the ''access'' case. Is this
possible? The openvpn module here; https://github.com/luxflux/puppet-openvpn
>
> contains some examples and such that lead me to believe there should be a
reference, but it seems like that only is applicable if they have the same
scope. How would I go about storing off the ''winterthur''
openvpn::server for use by the clients later? Puppet''s class variable
access and scoping in general are a little confusing to me at this point. I
tried the obvious assigning a $variable but that didn''t work either.
Also, looking at the openvpn code, it seems like openvpn::server is
"define"d instead of using the class keyword. does this make a
difference?
>
> Thanks
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to puppet-users+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/9de48764-707d-4529-a018-42a4782310f3%40googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/57B1DC95-1CDD-4E70-AFF6-120AC2C75234%40mbarr.net.
For more options, visit https://groups.google.com/groups/opt_out.
Derek Cole
2013-Dec-12 00:12 UTC
Re: [Puppet Users] Access class results variables in puppet
I see what you''re saying about the design of the code. The suggested workaround you proposed doesn''t work. It''s the same as if I just have the literal in there. Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not find resource ''Openvpn::Server[winterthur]'' for relationship on ''Openvpn::Client[client1]'' on node 28ae5ab6-e8f4-4da1-bae3-4df3ce94a6fe.cs1cloud.internal Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run I think I just realized something about the library after looking at the dependencies in the client code. This module actually just generates all of the configs but i dont think is meant to actually be used to deploy onto a virtual machine. The end result if I run this on a specific node is that I end up with an importable openvpn profile. I was under the impression that the openvpn::client name actually installed the profile on the actual remote node. I guess I am going to need a separate process to import that openvpn profile on a specific node that is a client node. The end goal here is to automatically provision a node that is a server, and a few nodes that connect to that server with openvpn. This module won''t actually do all of that like I thought. -Derek On Tuesday, December 10, 2013 1:25:05 AM UTC-5, Matthew Barr wrote:> > In this case, you’ve got 2 issues. > > 1, most of that data would, ideally, be in Hiera. But, with a defined > type, you can’t use the parameterized classes lookup. > > 2. That case statement means that the catalog for the system with “client" > doesn’t even know anything about the “access" resources. > > I’d suggest in this case: (but I’m not loving the code design, to be > honest. Look under the example for more. > > > > $vpn_server = ‘winterthur'' > > case $::role { > ''access'': { > <snip> > openvpn::server {“$vpn_server" : > country => ''CH'', > province => ''ZH'', > city => ''Winterthur'', > organization => ''example.org'', > email => ''ro...@example.org <javascript:>'', > > server => ''10.200.200.0 255.255.255.0''} > > } > ''client'': { > notify {"Applying client config" :} > openvpn::client { ''client1'': > server => “$vpn_server" > } > > } > } > > This screams for a better separation, to me. Unless you only have 1 set > of servers & clients… > — Maybe use a class, with the parameters pulling in the details from > hiera, and using the variable parameters in the code. > — they would include city,province, server_ip, email, country. > > > > > > Matthew Barr > mb...@mbarr.net <javascript:> > c: (646) 727-0535 > > On Dec 9, 2013, at 5:32 PM, Derek Cole <derek...@gmail.com <javascript:>> > wrote: > > > Hello, > > > > I am not exactly sure how to phrase this, but consider the following: > > > > case $::role { > > ''access'': { > > notify {"Applying access packages" :} > > include access_packages > > > > freebsd::rc_conf { ''test'' : > > value => ''yes'', > > ensure => ''present'' > > } > > openvpn::server {''winterthur'' : > > country => ''CH'', > > province => ''ZH'', > > city => ''Winterthur'', > > organization => ''example.org'', > > email => ''ro...@example.org <javascript:>'', > > > server => ''10.200.200.0 255.255.255.0''} > > > > } > > ''client'': { > > notify {"Applying client config" :} > > openvpn::client { ''client1'': > > server => "winterthur" > > } > > > > } > > } > > > > > > What I am trying to do in ''client'' case is reference the server that was > defined in the ''access'' case. Is this possible? The openvpn module here; > https://github.com/luxflux/puppet-openvpn > > > > contains some examples and such that lead me to believe there should be > a reference, but it seems like that only is applicable if they have the > same scope. How would I go about storing off the ''winterthur'' > openvpn::server for use by the clients later? Puppet''s class variable > access and scoping in general are a little confusing to me at this point. I > tried the obvious assigning a $variable but that didn''t work either. Also, > looking at the openvpn code, it seems like openvpn::server is "define"d > instead of using the class keyword. does this make a difference? > > > > Thanks > > > > -- > > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to puppet-users...@googlegroups.com <javascript:>. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/9de48764-707d-4529-a018-42a4782310f3%40googlegroups.com. > > > For more options, visit https://groups.google.com/groups/opt_out. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/8377c983-942a-4406-8e2e-d9550a08c84b%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Jeff Bachtel
2013-Dec-12 00:49 UTC
Re: [Puppet Users] Access class results variables in puppet
In the case of the module you''re using (
https://github.com/luxflux/puppet-openvpn it appears) and you seem to
have already understood this, the client resource has a hard dependency
on files that should only exist on the server (due to client cert
generation process).
All is really not lost, though. Because the openvpn::client script
generates two files for the openvpn configuration, you can easily enough do:
case $::role {
''access'': {
notify {"Applying access packages" :}
include access_packages
freebsd::rc_conf { ''test'' :
value => ''yes'',
ensure => ''present''
}
openvpn::server {''winterthur'' :
country => ''CH'',
province => ''ZH'',
city => ''Winterthur'',
organization => ''example.org'',
email =>
''root@example.org'',
server => ''10.200.200.0
255.255.255.0''}
openvpn::client { ''client1'':
server => "winterthur"
} -> @@file {
''/etc/openvpn/winterthur/download-configs/client1.ovpn'' }
openvpn::client_specific_config {
''client1'':
server => "winterthur"
} -> @@file {
''/etc/openvpn/winterthur/client-configs/client1'' }
}
''client'': {
notify {"Applying client config" :}
File <<| name ==
''/etc/openvpn/winterthur/download-configs/client1.ovpn''
|>>
File <<| name ==
''/etc/openvpn/winterthur/client-configs/client1'' |>>
}
}
This will instantiate the files on your client (assuming the server has
applied its manifest successfully) and it can then be the target of an
actual openvpn client configuration. Note that you''ll have to do the
latter yourself, as the module you''re using doesn''t seem to
actually
handle OpenVPN client package installation.
The more traditionally puppet way to handle this would be to have the CA
or delegate CA on the puppet server itself, and have it write out such
keys to some place like /etc/puppet/keydist/$fqdn for hosts to pull down
using normal puppet:/// fileserver syntax.
I''ve not tested my above code, and haven''t reviewed the module
from
luxflux enough to guarantee that it will work for you. It''d definitely
require some investigation, as you''re extending the module a bit beyond
its original intent.
Jeff
On 12/09/2013 05:32 PM, Derek Cole wrote:> Hello,
>
> I am not exactly sure how to phrase this, but consider the following:
>
> case $::role {
> ''access'': {
> notify {"Applying access packages" :}
> include access_packages
>
> freebsd::rc_conf { ''test'' :
> value => ''yes'',
> ensure => ''present''
> }
> openvpn::server {''winterthur'' :
> country => ''CH'',
> province => ''ZH'',
> city => ''Winterthur'',
> organization => ''example.org'',
> email =>
''root@example.org'',
> server => ''10.200.200.0
255.255.255.0''}
>
> }
> ''client'': {
> notify {"Applying client config" :}
> openvpn::client { ''client1'':
> server => "winterthur"
> }
>
> }
> }
>
>
> What I am trying to do in ''client'' case is reference the
server that
> was defined in the ''access'' case. Is this possible? The
openvpn module
> here; https://github.com/luxflux/puppet-openvpn
>
> contains some examples and such that lead me to believe there should
> be a reference, but it seems like that only is applicable if they have
> the same scope. How would I go about storing off the
''winterthur''
> openvpn::server for use by the clients later? Puppet''s class
variable
> access and scoping in general are a little confusing to me at this
> point. I tried the obvious assigning a $variable but that didn''t
work
> either. Also, looking at the openvpn code, it seems like
> openvpn::server is "define"d instead of using the class keyword.
does
> this make a difference?
>
> Thanks
> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to puppet-users+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/puppet-users/9de48764-707d-4529-a018-42a4782310f3%40googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/52A90812.5080606%40bericotechnologies.com.
For more options, visit https://groups.google.com/groups/opt_out.