Saturday, 2008-04-19

[2008/04/19 00:10:29] @ Quit: nigelk: Read error: 104 (Connection reset by peer)
[2008/04/19 00:10:39] @ nigelk joined channel #puppet
[2008/04/19 00:11:19] @ Yappy joined channel #puppet
[2008/04/19 00:14:12] @ a-priori_ joined channel #puppet
[2008/04/19 00:14:31] <ballpointpenthie> password
[2008/04/19 00:14:39] <ballpointpenthie> sorry, wrong keyboard
[2008/04/19 00:16:34] @ Quit: johnf: Read error: 110 (Connection timed out)
[2008/04/19 00:18:46] <riddley> does ruby have a strpad ?
[2008/04/19 00:19:30] <riddley> nm
[2008/04/19 00:22:42] @ a-priori__ joined channel #puppet
[2008/04/19 00:28:56] @ Quit: a-priori: Read error: 110 (Connection timed out)
[2008/04/19 00:31:53] @ Quit: nigelk:
[2008/04/19 00:32:22] @ Quit: windowsrefund: "Leaving"
[2008/04/19 00:35:11] @ a-priori joined channel #puppet
[2008/04/19 00:39:09] @ Quit: a-priori_: Read error: 110 (Connection timed out)
[2008/04/19 00:40:08] @ duritong_ joined channel #puppet
[2008/04/19 00:40:40] @ sknight joined channel #puppet
[2008/04/19 00:40:48] <sknight> mornin' all
[2008/04/19 00:40:56] <sknight> so lak, we fixed that problem last night
[2008/04/19 00:41:00] <sknight> :-p
[2008/04/19 00:41:14] <lak> oh?
[2008/04/19 00:41:29] <sknight> I had a filebucket defined in site.pp
[2008/04/19 00:41:43] @ a-priori_ joined channel #puppet
[2008/04/19 00:41:51] <sknight> wrote it down straight from the book, and kept the name 'puppet' instead of my puppet server
[2008/04/19 00:42:02] <sknight> and that was evidently overriding everything else
[2008/04/19 00:42:09] <sknight> shrug
[2008/04/19 00:43:23] <sknight> so, here's another (slightly less retarded) question
[2008/04/19 00:43:31] <lak> that seems pretty odd
[2008/04/19 00:43:44] <sknight> so I know how to use a case statement against a facter fact when defining a variable
[2008/04/19 00:44:08] <sknight> how can I make a case statement that works with files?
[2008/04/19 00:45:18] <sknight> basically, i'm making a module that manages ldap client stuff, and I want it to serve different files to different locations based on the $operatingsystem fact (we're mostly Debian, with a handful of CentOS boxen)
[2008/04/19 00:46:15] @ a-priori___ joined channel #puppet
[2008/04/19 00:46:23] <sknight> or would it be more efficient/readable if I used the %h, %H, or %d dynamic variables when defining the path?
[2008/04/19 00:46:24] <ashp> can't you just, when it comes time to do the source =>
[2008/04/19 00:46:30] <lak> path => $operatingsystem ? { debian => blah, default => otherblah }
[2008/04/19 00:46:31] <ashp> do the case there
[2008/04/19 00:46:43] <sknight> and instead used symlinks back on the puppetmaster for each individual host?
[2008/04/19 00:46:43] <ashp> or, yeah, listen to the expert :)
[2008/04/19 00:48:00] <sknight> so, I've got this:
[2008/04/19 00:48:01] <sknight> http://pastebin.com/d4eab8d35
[2008/04/19 00:48:49] <sknight> where does
[2008/04/19 00:48:54] <sknight> 'path' come in?
[2008/04/19 00:49:21] <riddley> lak, is puppetrun in a state where it can be grabbed and run standalone (like you were attempting to do when you were here?)
[2008/04/19 00:49:42] <lak> sknight: use whatever parameter you need selection in
[2008/04/19 00:49:54] <lak> riddley: i don't remember what happened when i tried it there
[2008/04/19 00:50:00] <lak> what do you mean by standalone?
[2008/04/19 00:50:17] <sknight> oh, so I can just do that $variable ? thinger just about anywhere?
[2008/04/19 00:50:18] <sknight> neat!
[2008/04/19 00:50:33] <riddley> it was having trouble because we didn't have some aspect of rails installed and you were talking about installing rails into the vendor tree or some craziness that we didn't grok :)
[2008/04/19 00:53:49] @ Quit: duritong: Read error: 110 (Connection timed out)
[2008/04/19 00:53:59] <duritong_> is lab42 al around?
[2008/04/19 00:54:03] @ duritong_ is now known as duritong
[2008/04/19 00:55:23] <sknight> so this is valid?
[2008/04/19 00:55:23] <sknight> http://pastebin.com/d7c230bee
[2008/04/19 00:56:19] @ Quit: a-priori__: Read error: 110 (Connection timed out)
[2008/04/19 00:57:47] @ Quit: a-priori: Read error: 113 (No route to host)
[2008/04/19 00:58:06] @ shake-n-bake joined channel #puppet
[2008/04/19 00:58:21] <lak> except for the fact that you forgot the ':', yes
[2008/04/19 00:59:03] <sknight> the ':'?
[2008/04/19 01:00:03] <sknight> oh. yes. the ":"
[2008/04/19 01:02:32] @ Quit: a-priori_: Read error: 113 (No route to host)
[2008/04/19 01:03:06] @ Quit: oxtail: Read error: 113 (No route to host)
[2008/04/19 01:04:42] @ nigelk joined channel #puppet
[2008/04/19 01:04:43] @ a-priori joined channel #puppet
[2008/04/19 01:05:01] @ oxtail joined channel #puppet
[2008/04/19 01:05:24] <sknight> ok, I must be doing something retarded
[2008/04/19 01:05:49] <sknight> I'm getting this error: err: Could not retrieve catalog: Syntax error at ':'; expected '}' at /etc/puppet/modules/ldap/manifests/init.pp:11 on node vnagios01.eigvps.net
[2008/04/19 01:05:52] <sknight> with this code:
[2008/04/19 01:06:09] <sknight> http://pastebin.com/d35597af4
[2008/04/19 01:06:40] <lak> again, you must understand what you're trying to do
[2008/04/19 01:06:44] <lak> you're creating a resource
[2008/04/19 01:06:55] <lak> there must be a colon between the resource's title and its attributes
[2008/04/19 01:07:06] <lak> in this situation, your title is that selector structure
[2008/04/19 01:07:08] <lak> but it's still a title
[2008/04/19 01:07:26] <lak> the select uses commas to delimit multiple choices
[2008/04/19 01:07:28] <lak> not the colon
[2008/04/19 01:07:46] <sknight> so when ruby does the replacement, where does the selector-structure end when it's made a decision?
[2008/04/19 01:07:52] @ muerr joined channel #puppet
[2008/04/19 01:07:58] <sknight> <--- speaks Perl, prefers 'line-noise'
[2008/04/19 01:08:03] <sknight> :-p
[2008/04/19 01:08:12] <lak> if you have a normal string for the title, you put a colon after the title, right?
[2008/04/19 01:08:17] <sknight> right
[2008/04/19 01:08:23] <lak> so why would the colon be somewhere else just because the title isn't a normal string?
[2008/04/19 01:08:30] <lak> and this has nothing to do with ruby v perl
[2008/04/19 01:08:33] <sknight> because there's a question-mark there
[2008/04/19 01:08:38] <lak> no
[2008/04/19 01:08:50] <lak> that whole structure -- $var ? { ... } -- is one syntactic element
[2008/04/19 01:08:55] <lak> and it is the title
[2008/04/19 01:09:03] <sknight> so should this "file { $operatingsystem ? {" become this:
[2008/04/19 01:09:06] <sknight> file { $operatingsystem: ? {
[2008/04/19 01:09:06] <lak> when it is evaluated, it will produce a single string
[2008/04/19 01:09:08] <sknight> or this:
[2008/04/19 01:09:10] <sknight> file { $operatingsystem ?: {
[2008/04/19 01:09:13] <sknight> or this:
[2008/04/19 01:09:14] <sknight> file { $operatingsystem ? {:
[2008/04/19 01:09:24] <lak> what is the title in your snippet?
[2008/04/19 01:09:38] <sknight> it depends on what $operatingsystem is
[2008/04/19 01:09:51] <lak> no, syntactically, what text plays the role of the title
[2008/04/19 01:10:08] <sknight> I... don't think I understand the question
[2008/04/19 01:10:13] <lak> what text will produce the title when evaluated?
[2008/04/19 01:10:19] <lak> or even, what code will produce it?
[2008/04/19 01:10:33] <sknight> the result of the evaluation of $operatingsystem
[2008/04/19 01:10:37] <lak> no
[2008/04/19 01:10:44] <lak> the result of the evaluation of the whole selector
[2008/04/19 01:10:51] <lak> your title isn't $operatingsystem, is it?
[2008/04/19 01:11:12] <sknight> not unless I've really fucked up :-p
[2008/04/19 01:11:28] @ a-priori_ joined channel #puppet
[2008/04/19 01:12:05] <sknight> ahhhh!
[2008/04/19 01:12:07] @ jY joined channel #puppet
[2008/04/19 01:12:08] * sknight is enlightened
[2008/04/19 01:12:39] <lak> oh?
[2008/04/19 01:12:51] <jY> is the only way to do groups on the server side via hostnames?
[2008/04/19 01:13:00] <jY> so only certain hosts get config files
[2008/04/19 01:13:21] <sknight> like this: http://pastebin.com/d742d89ec
[2008/04/19 01:13:34] <sknight> and voila, it compiles and does what I want it to do! :-p
[2008/04/19 01:14:19] <sknight> jY: you can do case statements against facter variables, and distribute files that way
[2008/04/19 01:14:51] <jY> well i'd like to specify a machine as an oracle machine.. and have it grab that way
[2008/04/19 01:14:56] <sknight> like, this code that I conveniently have here:
[2008/04/19 01:14:58] <sknight> like this: http://pastebin.com/d742d89ec
[2008/04/19 01:15:03] <sknight> :-D
[2008/04/19 01:15:19] <sknight> how do you have your node definitions set up?
[2008/04/19 01:15:21] <lak> sknight: exactly; see? you just have to understand the syntax :)
[2008/04/19 01:15:40] <sknight> lak: isn't that the case with everything though? (ba dum-pshh)(
[2008/04/19 01:15:43] <jY> right now its just node default
[2008/04/19 01:15:50] <sknight> ahhh
[2008/04/19 01:15:54] <sknight> split that up
[2008/04/19 01:15:59] @ a-priori__ joined channel #puppet
[2008/04/19 01:16:03] <jY> i know you can do node hostname.. just wondering if you can specify on the client
[2008/04/19 01:16:16] <jY> like a tag or such.. is a oracle machine.. is a web machine
[2008/04/19 01:16:32] <sknight> you could set an environment variable on boot that gets passed to facter
[2008/04/19 01:16:40] <sknight> and then do a case statement for that
[2008/04/19 01:16:42] @ Quit: tim\|mb: "This computer has gone to sleep"
[2008/04/19 01:16:52] <lak> jY: Puppet has no default means of doing so, if that's your question
[2008/04/19 01:17:00] <jY> ok
[2008/04/19 01:17:05] <lak> you'd need a custom fact
[2008/04/19 01:17:10] <muerr> jY, we use a 'base' class that has the default stuff, then specific node types inherit that, and set their own things.
[2008/04/19 01:17:10] <jY> so i'd have to write my own facter rules
[2008/04/19 01:17:27] <sknight> jY: yeah, but it's wicked simple
[2008/04/19 01:17:43] <jY> muerr, ya that is what i'd like do do.. but the only way i can find out how to do that is on the master server setting the node host.domain.com {}
[2008/04/19 01:17:43] <sknight> facter reads in environment variables on the host
[2008/04/19 01:18:06] <muerr> class nodetype { # this is the base, defaults here }, class nodetype::apacheserver inherits nodetype { # include classes that set up a web server }, node www { include nodetype::apache }, for example.
[2008/04/19 01:18:33] <jY> so how does the master know its a node www
[2008/04/19 01:18:50] <muerr> when a client with hostname 'www' connects, it goes to node www.
[2008/04/19 01:19:11] <jY> ya i don't want to do it that way.. so i'll have to write my own facter rules
[2008/04/19 01:19:36] <jY> i want a jr guy to install a OS select its an oracle box.. and puppet sends all the oracle files without touching the puppetmaster server
[2008/04/19 01:19:46] <muerr> then you want an external node classification tool.
[2008/04/19 01:20:25] * Volcane wrote something that parses /etc/facts.txt with var=value pairs in it to define custom facts
[2008/04/19 01:20:26] <sknight> muerr: so what if the hostname is like "blarghsnarf1322"?
[2008/04/19 01:20:28] <Volcane> might be what u want
[2008/04/19 01:20:40] <sknight> with a fqdn of blarghsnarf1322.example.com?
[2008/04/19 01:20:50] <Volcane> so i just put in the file lines for whatever facts i need defined
[2008/04/19 01:21:00] <jY> Volcane, ya that is what i'm gonna have to do
[2008/04/19 01:21:01] <sknight> will puppet/facter know to only get a type of 'blarghsnarff' instead of the full hostname?
[2008/04/19 01:21:22] <muerr> we don't do arbitrary hostname craziness.
[2008/04/19 01:21:38] <Volcane> crziness indeed :)
[2008/04/19 01:21:46] <muerr> we're managing our infrastructure servers and public-facing websites/mail servers. we know what their hostnames are, so we write node {}'s for them.
[2008/04/19 01:21:48] <sknight> <muerr> when a client with hostname 'www' connects, it goes to node www.
[2008/04/19 01:22:02] <sknight> so what if the hostname is "www004"?
[2008/04/19 01:22:11] * Volcane worked for a company who bought a company that was based in finland, and they had host name conventions based on types of foods and drinks, all in finish! was a nightmare
[2008/04/19 01:22:19] <muerr> if we know that we're building a box named www004, we write a node block for it.
[2008/04/19 01:22:28] <sknight> ahh ok
[2008/04/19 01:22:34] @ a-priori____ joined channel #puppet
[2008/04/19 01:22:35] <sknight> but that nodeblock won't apply to a box named www005?
[2008/04/19 01:22:42] <muerr> nope
[2008/04/19 01:22:51] <sknight> damn, you got me all excited for a minute :-p
[2008/04/19 01:22:55] <muerr> www004 and www005 are going to have different network interfaces :-)
[2008/04/19 01:22:58] <Volcane> this is something where those external node things will work well
[2008/04/19 01:23:05] <muerr> they'll both incldue nodetype::apache or whatever.
[2008/04/19 01:23:40] <sknight> we're gonna eventually have hostnames vps001 to vps250.eigvps.net
[2008/04/19 01:23:50] <sknight> that's... a metric fuckton of node definitions :-p
[2008/04/19 01:23:59] <muerr> heh
[2008/04/19 01:24:23] <sknight> any way we can.... not have to do that? :-D
[2008/04/19 01:24:25] @ Quit: muerr: Read error: 104 (Connection reset by peer)
[2008/04/19 01:24:39] @ muerr joined channel #puppet
[2008/04/19 01:25:14] <muerr> $ grep -c ^node nodes.pp = 24
[2008/04/19 01:25:24] @ Quit: a-priori: Read error: 110 (Connection timed out)
[2008/04/19 01:25:29] <Volcane> sknight: I'd use a script to generate them ala http://reductivelabs.com/trac/puppet/wiki/ExternalNodes
[2008/04/19 01:25:56] <muerr> i think we're looking at a total of 40 boxes at this site all told. and we're building them one service type at a time because they're replacing an existing infrastructure.
[2008/04/19 01:26:20] @ Quit: a-priori___: No route to host
[2008/04/19 01:26:55] <sknight> yeeeaaaaah, I'm gonna have upwards of 2000 when all is said and done :-p
[2008/04/19 01:26:59] @ a-priori joined channel #puppet
[2008/04/19 01:27:21] * sknight is one of three admins at a honkin' huge hosting company
[2008/04/19 01:28:11] <lutter> Yappy: still there ?
[2008/04/19 01:28:43] <muerr> heh.
[2008/04/19 01:28:55] <muerr> I'm one of five at a smallish IT security training company.
[2008/04/19 01:29:19] <sknight> shiny!
[2008/04/19 01:29:23] <sknight> security, eh?
[2008/04/19 01:29:28] <muerr> Yes.
[2008/04/19 01:29:29] <sknight> don't suppose you speak grsec, do ya?
[2008/04/19 01:29:57] <muerr> Nope
[2008/04/19 01:30:01] <sknight> d'oh
[2008/04/19 01:30:22] <sknight> we've got a pretty hefty and restrictive grsec policy set up on all of our boxes here
[2008/04/19 01:30:31] <muerr> Ah. We use SELinux :-)
[2008/04/19 01:30:46] <muerr> And manage custom policies with puppet, no less.
[2008/04/19 01:30:54] <sknight> I'm trying to figure out how I can have the puppet user get full access to all the stuff it needs
[2008/04/19 01:30:57] <sknight> which is... a challenge ;-p
[2008/04/19 01:31:14] <muerr> Yeah, its a lot easier in SELinux I guess :-)
[2008/04/19 01:31:29] @ Quit: a-priori_: Connection timed out
[2008/04/19 01:31:31] <sknight> werd
[2008/04/19 01:31:48] <muerr> Our training is wide and varied, covering all aspects of IT security... We don't have specific topics covering grsec (or selinux for that matter).
[2008/04/19 01:32:04] <sknight> selinux was cool, but it had... issues when we tried to give it a policy in excess of 200,000 objects
[2008/04/19 01:32:25] <muerr> Sounds like that policy needs to be broken up into smaller chunks.
[2008/04/19 01:32:51] <muerr> But I'm by no means an SELinux expert. I read a book, read some man pages, and after writing the puppet manifest, let it do the rest
[2008/04/19 01:33:18] <sknight> well, like I said, we're a hosting company. we've got about a million-ish customers, each with their own stuff out on an NFS mount or forty
[2008/04/19 01:33:55] <sknight> some of them have just straight-up HTML hosting, others have PHP/Perl, still others have MySQL databases, a
[2008/04/19 01:34:17] <sknight> muerr: hang on, gotta auth to nickserv
[2008/04/19 01:34:22] <muerr> lol
[2008/04/19 01:34:23] <muerr> :)
[2008/04/19 01:34:46] <sknight> well f***
[2008/04/19 01:34:51] <sknight> can't remember my password :-p
[2008/04/19 01:34:53] <muerr> Right. We're a bit more straightforward with our stuff. Two each of web server, SMTP gateway, database, mail storage.
[2008/04/19 01:34:55] <muerr> lol
[2008/04/19 01:35:00] <ashp> i avoid the hell out of selinux
[2008/04/19 01:35:07] <muerr> ashp: most people do
[2008/04/19 01:35:14] <sknight> but long story short, it's Endurance International
[2008/04/19 01:35:27] @ sdodson_ is now known as sdodson
[2008/04/19 01:35:35] <sknight> we buy up smaller webhosting companies that are in trouble, and make them suck less (in theory)
[2008/04/19 01:35:52] <ashp> and in practice? :D
[2008/04/19 01:35:55] <sknight> we own places like powweb, readyhosting, fatcow, bizland, etc etc etc
[2008/04/19 01:36:07] <sknight> ashp: there are always naysayers ;-)
[2008/04/19 01:36:22] <ashp> integrating environments like that is a nightmare, we did a lot of that at tiscali
[2008/04/19 01:36:25] <muerr> I'm with SANS.
[2008/04/19 01:36:25] <ashp> and it was always horrible
[2008/04/19 01:36:32] <sknight> yeah
[2008/04/19 01:36:40] <sknight> we just bought up another huge provider, ipower
[2008/04/19 01:36:48] <sknight> THAT environment was a charlie-foxtrot
[2008/04/19 01:37:17] <fsweetser> muerr: out of curiosity, how do you manage policies in puppet?
[2008/04/19 01:37:23] <sknight> we're about 90% of the way done with that migration, thank god
[2008/04/19 01:37:38] <sknight> Migration: A time when there are No Weekends(tm)
[2008/04/19 01:38:50] <muerr> well, we've got some scripts that run to gather the policy information needed from audit2allow for a particular service or context.
[2008/04/19 01:39:02] <muerr> and use puppet to push the script out where needed, run it, and compile the policy.
[2008/04/19 01:39:17] <sknight> anyways, with this ldap module I'm writing, I'm gonna have ~5 file{} statements for the various doohickys needed
[2008/04/19 01:39:34] <sknight> is there any way to set a default owner/group/mode for ONE file{}, and have it apply to the rest?
[2008/04/19 01:40:13] <muerr> i'm a huge fan of the file type.
[2008/04/19 01:40:56] <muerr> File { owner => "root", group => "root" } as the first line in the class, and it will be applied within that class's scope
[2008/04/19 01:40:58] <fsweetser> muerr: so you manually extract the info via audit2allow, and then just use a bunch of exec's to load teh policy?
[2008/04/19 01:41:31] <muerr> fsweetser: kind of.. i didn't write that particular module :-)
[2008/04/19 01:41:47] <fsweetser> I see =)
[2008/04/19 01:41:59] <fsweetser> but basically, it's all manifest trickery, rather than any native types?
[2008/04/19 01:42:19] @ Quit: a-priori__: Read error: 110 (Connection timed out)
[2008/04/19 01:42:39] <muerr> Yeah, we dont have any custom providers.
[2008/04/19 01:42:47] @ Quit: a-priori____: Read error: 113 (No route to host)
[2008/04/19 01:43:06] <muerr> It is a custom define w/in puppet manifest context. define selinux::module () { }.
[2008/04/19 01:43:30] @ a-priori_ joined channel #puppet
[2008/04/19 01:43:40] <muerr> lets see... we push out a selinux $name.te file, push out a setup script associated with that, and then run the script.
[2008/04/19 01:43:57] <fsweetser> ah, okay. I was curious how you'd done it, since I've been working on some selinux native types: http://spook.wpi.edu/
[2008/04/19 01:44:12] <sknight> FRANK!
[2008/04/19 01:44:20] <sknight> holy christ dude, how're you doing!
[2008/04/19 01:44:24] <sknight> <--- Lee
[2008/04/19 01:44:26] @ Quit: tim\|imac: "Leaving"
[2008/04/19 01:44:47] <sknight> remember me? used to work in the Shop, roomed with Phil and Paul for awhile?
[2008/04/19 01:45:12] <muerr> the setup script is actually a template which grabs the $name to pass to checkmodule, semodule_package, semodule.
[2008/04/19 01:45:18] <fsweetser> yeah, how's it going?
[2008/04/19 01:45:24] <fsweetser> man, small world =)
[2008/04/19 01:45:58] <fsweetser> muerr: is it posted anywhere? it sounds like it could complement the work I've done nicely
[2008/04/19 01:46:00] <muerr> We do generate the .te files manually with audit2allow, not automatically.
[2008/04/19 01:46:13] <sknight> pretty good man, pretty good!
[2008/04/19 01:46:25] <sknight> I finally broke out of the front-line tech-support wage slave thing
[2008/04/19 01:46:40] <sknight> and all it took was for me to drop out of college! :-p
[2008/04/19 01:47:01] <sknight> are Joe and Phil and all them still around?
[2008/04/19 01:47:30] <muerr> fsweetser: no.. we don't use a git repo, so converting what we have in svn to go into the wiki:CommonModules setup hasn't been a priority.
[2008/04/19 01:47:33] <gepetto_> muerr: fsweetser: wiki:CommonModules is http://reductivelabs.com/trac/puppet/wiki/CommonModules
[2008/04/19 01:48:29] @ Quit: Yappy: "leaving"
[2008/04/19 01:48:34] @ Quit: jeckersb: "Leaving"
[2008/04/19 01:48:41] @ a-priori__ joined channel #puppet
[2008/04/19 01:49:17] <fsweetser> muerr: heh - I haven't even had a chance to really read that page yet =)
[2008/04/19 01:51:29] <sknight> fsweetser: I'd respond via msg, but I can't authenticate to freenode. one sec, lemme see what the #^*^# password reset thinger is like
[2008/04/19 01:52:06] <muerr> fsweetser: yeah, somewhat ditto
[2008/04/19 01:52:26] @ sknight is now known as sknight42
[2008/04/19 01:53:14] <fsweetser> muerr: I've heard the redhat infrastructure people are interested in managing selinux, so I should probably spend some time on it
[2008/04/19 01:53:42] <muerr> fsweetser: looking for a job w/ them? :)
[2008/04/19 01:53:50] @ Quit: Innocenti: Client Quit
[2008/04/19 01:54:03] <fsweetser> nah, though if the price is right I wouldn't say no =)
[2008/04/19 01:55:14] @ a-priori___ joined channel #puppet
[2008/04/19 02:00:33] @ Quit: oxtail: Read error: 113 (No route to host)
[2008/04/19 02:01:56] @ Quit: a-priori_: Read error: 110 (Connection timed out)
[2008/04/19 02:02:48] @ Quit: a-priori: Read error: 110 (Connection timed out)
[2008/04/19 02:05:41] @ a-priori joined channel #puppet
[2008/04/19 02:10:12] @ Quit: a-priori__: No route to host
[2008/04/19 02:10:31] <e^ipi> how does one set ruby's search path?
[2008/04/19 02:11:03] <e^ipi> i installed puppet from gems, now "puppetmasterd:83:in `require': no such file to load -- puppet (LoadError)"
[2008/04/19 02:14:47] @ Quit: nevyn: Read error: 110 (Connection timed out)
[2008/04/19 02:18:43] @ tim\|imac joined channel #puppet
[2008/04/19 02:21:16] @ Quit: a-priori___: Read error: 110 (Connection timed out)
[2008/04/19 02:22:21] <muerr> i don't know about puppet as a gem, but when i've tinkered with other gems, i needed "require 'rubygems'" to use them.
[2008/04/19 02:22:48] <e^ipi> blink
[2008/04/19 02:23:22] @ Quit: hX8: Read error: 113 (No route to host)
[2008/04/19 02:23:25] @ hX8 joined channel #puppet
[2008/04/19 02:24:23] @ Quit: jason^: Remote closed the connection
[2008/04/19 02:24:32] @ Quit: brenton: Remote closed the connection
[2008/04/19 02:24:32] @ Quit: hacim: Remote closed the connection
[2008/04/19 02:24:35] @ hacim joined channel #puppet
[2008/04/19 02:24:37] @ brenton joined channel #puppet
[2008/04/19 02:24:40] @ jason^ joined channel #puppet
[2008/04/19 02:24:51] @ Quit: thom: Remote closed the connection
[2008/04/19 02:24:57] @ thom joined channel #puppet
[2008/04/19 02:25:16] @ Quit: zirpu: Remote closed the connection
[2008/04/19 02:25:22] @ zirpu joined channel #puppet
[2008/04/19 02:25:36] @ Quit: folken: Remote closed the connection
[2008/04/19 02:27:32] @ folken joined channel #puppet
[2008/04/19 02:31:44] @ Quit: a-priori: Read error: 113 (No route to host)
[2008/04/19 02:35:06] @ Quit: pawalls: Read error: 113 (No route to host)
[2008/04/19 02:35:31] @ pawalls joined channel #puppet
[2008/04/19 02:41:43] @ Quit: DerekW: "Leaving"
[2008/04/19 02:43:59] @ Quit: jamesturnbull: Read error: 104 (Connection reset by peer)
[2008/04/19 02:43:59] @ spike_ joined channel #puppet
[2008/04/19 02:44:02] @ Quit: ricky: Read error: 104 (Connection reset by peer)
[2008/04/19 02:44:02] @ jamesturnbull joined channel #puppet
[2008/04/19 02:44:05] @ ricky joined channel #puppet
[2008/04/19 02:44:28] @ Quit: spike: Read error: 104 (Connection reset by peer)
[2008/04/19 02:52:22] <hacim> mmmf puppetmaster ate all my memory and now I can't get to the machine
[2008/04/19 02:52:51] @ nevyn joined channel #puppet
[2008/04/19 03:14:41] @ Quit: ballpointpenthie: Remote closed the connection
[2008/04/19 03:16:21] @ pleemans joined channel #puppet
[2008/04/19 03:23:49] <ashp> This is the STRANGEST thing I have ever seen.
[2008/04/19 03:23:55] <ashp> My puppetmaster is now pretending to be another host on the network.
[2008/04/19 03:24:07] <ashp> It's changed it's hostname on a reboot, and I don't know what the hell is going on.
[2008/04/19 03:24:59] <ashp> now i get err: State got corrupted
[2008/04/19 03:25:05] <ashp> I am going to assume something very bad is happennig.
[2008/04/19 03:28:27] <ashp> It changed from hlslinutil02 to hlsdevnfs which aren't even remotely connected, I wonder what the hell caused it to do that
[2008/04/19 03:28:34] <ashp> once it did that, puppet then went and configured it wrongly
[2008/04/19 03:30:40] <ashp> IT DID IT AGAIN
[2008/04/19 03:32:40] <ashp> oh, oh dear, it's all my fault :(
[2008/04/19 03:37:22] @ docelic joined channel #puppet
[2008/04/19 03:37:59] @ Quit: lutter: "Leaving."
[2008/04/19 03:43:56] <sknight42> l33t-h4x0rz?
[2008/04/19 03:44:11] <sknight42> or is DHCP going "AAARRRGGGGGHHHHHHSSSPlplplbbbtttttt"
[2008/04/19 03:46:29] <sknight42> when doing a file object with a case statement, can I have two identical options that match twice and create two files that are identical?
[2008/04/19 03:46:32] <sknight42> i.e., this:
[2008/04/19 03:47:19] <sknight42> http://pastebin.com/d6d2b956
[2008/04/19 03:47:45] <sknight42> two files on my debian boxes are identical, /etc/ldap.conf and /etc/pam_ldap.conf, but that second file doesn't exist on the CentOS boxen
[2008/04/19 03:48:06] <Volcane> debian => [ "file1", "file2" ],
[2008/04/19 03:48:13] <sknight42> oh very cool
[2008/04/19 03:48:15] <sknight42> thanks dude
[2008/04/19 03:49:08] <Volcane> np
[2008/04/19 03:50:49] @ flakrat_ joined channel #puppet
[2008/04/19 03:51:40] <sknight42> can I have one of those case statements be null, too?
[2008/04/19 03:51:46] <ashp> sknight42: I had cut and pasted my network define, and forgot to change the hostname :D
[2008/04/19 03:51:56] <sknight42> i.e. if I want debian to have those two files, but centos to not get any files
[2008/04/19 03:51:58] <ashp> so it would start up, set its hostname to nfsdev half way through, then start configuring all the wrong things
[2008/04/19 03:52:44] <Volcane> sknight42: not sure that will work, but you could put a case around your include file
[2008/04/19 03:52:49] <Volcane> include line even
[2008/04/19 03:52:54] @ Quit: pleemans: heinlein.freenode.net irc.freenode.net
[2008/04/19 03:52:54] @ Quit: pawalls: heinlein.freenode.net irc.freenode.net
[2008/04/19 03:52:54] @ Quit: duritong: heinlein.freenode.net irc.freenode.net
[2008/04/19 03:52:54] @ Quit: \ask: heinlein.freenode.net irc.freenode.net
[2008/04/19 03:52:55] @ Quit: blblack: heinlein.freenode.net irc.freenode.net
[2008/04/19 03:52:55] @ Quit: markl__: heinlein.freenode.net irc.freenode.net
[2008/04/19 03:52:55] @ Quit: Hunnur_: heinlein.freenode.net irc.freenode.net
[2008/04/19 03:52:55] @ Quit: shenson: heinlein.freenode.net irc.freenode.net
[2008/04/19 03:52:55] @ Quit: flakrat: heinlein.freenode.net irc.freenode.net
[2008/04/19 03:52:55] @ Quit: shake-n-bake: Read error: 110 (Connection timed out)
[2008/04/19 03:55:05] @ markl__ joined channel #puppet
[2008/04/19 03:55:26] @ blblack joined channel #puppet
[2008/04/19 03:55:27] @ Hunnur joined channel #puppet
[2008/04/19 03:55:34] @ duritong joined channel #puppet
[2008/04/19 03:56:15] @ shenson joined channel #puppet
[2008/04/19 03:57:31] @ shake-n-bake joined channel #puppet
[2008/04/19 03:59:39] @ \ask joined channel #puppet
[2008/04/19 04:01:33] @ Quit: zobbo_: Read error: 113 (No route to host)
[2008/04/19 04:06:58] @ Quit: shenson: Killed by sagan.freenode.net (Nick collision)
[2008/04/19 04:07:03] @ Quit: markl__: Killed by sagan.freenode.net (Nick collision)
[2008/04/19 04:07:06] @ markl___ joined channel #puppet
[2008/04/19 04:07:09] @ shenson` joined channel #puppet
[2008/04/19 04:07:14] @ pleemans joined channel #puppet
[2008/04/19 04:07:14] @ pawalls joined channel #puppet
[2008/04/19 04:07:14] @ markl__ joined channel #puppet
[2008/04/19 04:07:14] @ Hunnur_ joined channel #puppet
[2008/04/19 04:07:14] @ shenson joined channel #puppet
[2008/04/19 04:07:14] @ flakrat joined channel #puppet
[2008/04/19 04:07:23] @ Quit: shenson: Read error: 104 (Connection reset by peer)
[2008/04/19 04:07:24] @ Quit: pawalls: Dead socket
[2008/04/19 04:07:25] @ pawalls joined channel #puppet
[2008/04/19 04:11:43] @ Quit: pawalls: heinlein.freenode.net irc.freenode.net
[2008/04/19 04:11:43] @ Quit: Hunnur_: heinlein.freenode.net irc.freenode.net
[2008/04/19 04:11:43] @ Quit: markl__: heinlein.freenode.net irc.freenode.net
[2008/04/19 04:11:43] @ Quit: flakrat: heinlein.freenode.net irc.freenode.net
[2008/04/19 04:11:43] @ Quit: pleemans: heinlein.freenode.net irc.freenode.net
[2008/04/19 04:13:55] @ pleemans joined channel #puppet
[2008/04/19 04:21:29] @ plathrop joined channel #puppet
[2008/04/19 04:21:38] @ docelic_ joined channel #puppet
[2008/04/19 04:24:59] @ pawalls joined channel #puppet
[2008/04/19 04:34:11] @ Quit: docelic: Nick collision from services.
[2008/04/19 04:34:13] @ docelic_ is now known as docelic
[2008/04/19 04:44:00] @ skoog_ joined channel #puppet
[2008/04/19 04:44:47] @ Quit: skoog_: Client Quit
[2008/04/19 04:44:50] @ Quit: shake-n-bake:
[2008/04/19 04:52:22] @ a-priori joined channel #puppet
[2008/04/19 04:55:55] @ roald joined channel #puppet
[2008/04/19 04:57:23] <sknight42> Volcane: example?
[2008/04/19 04:58:59] <fastjay> anyone seen puppetd crash on a box when ldap goes silley?
[2008/04/19 05:01:32] @ Quit: londo__: Read error: 113 (No route to host)
[2008/04/19 05:01:34] [msg(#puppet)] ::puppet:: Whos Using Puppet edited by apenney @ http://reductivelabs.com/trac/puppet/wiki/WhosUsingPuppet
[2008/04/19 05:04:53] <plathrop> fastjay: Everything crashes when my LDAP goes silly
[2008/04/19 05:05:43] <fastjay> yeah.. i just noticed a bunch of boxes crashed their puppetd.. or it stopped running.. and.. puppetwhen shows it right around the same time as ldap crashed ;)
[2008/04/19 05:06:36] <ashp> it's me, i'm using puppet!
[2008/04/19 05:06:49] <ashp> fastjay: Do you using external nodes?
[2008/04/19 05:07:20] <fastjay> external nodes?
[2008/04/19 05:09:07] <plathrop> fastjay: If you don't know you probably aren't :-P Do you have node "a.example.com" { stuff in your manifests?
[2008/04/19 05:09:17] <plathrop> fastjay: If so, the answer to ashp would be "No"
[2008/04/19 05:09:35] <fastjay> my nodes.pp
[2008/04/19 05:09:45] <fastjay> oh i get it.. no the nodes are not in ldap they are in my manifests
[2008/04/19 05:09:49] <ashp> Excluding that, do you do user authentication against ldap?
[2008/04/19 05:09:59] <ashp> maybe puppetd tried to do a user/group lookup and freaked out
[2008/04/19 05:10:09] <fastjay> yeah
[2008/04/19 05:10:13] <fastjay> thats my thought ashp
[2008/04/19 05:17:57] @ Quit: jvanzyl:
[2008/04/19 05:18:21] @ zobbo joined channel #puppet
[2008/04/19 05:25:01] @ shadoi joined channel #puppet
[2008/04/19 05:34:05] <hacim> how can I add a user into a group with puppet? I tried defining the user with the user type, but the user already exists, the group type wont do it either
[2008/04/19 05:34:13] <hacim> I feel like I must be missing something really obvious here :)
[2008/04/19 05:35:02] <shadoi> gid => <group name or gid>
[2008/04/19 05:35:22] <hacim> shadoi: in what type?
[2008/04/19 05:35:30] <shadoi> or use member if it's not the primary group
[2008/04/19 05:35:58] <hacim> shadoi: that only works for the user type
[2008/04/19 05:36:18] <shadoi> yeah... you list the groups they're a member of
[2008/04/19 05:36:26] <hacim> hmm
[2008/04/19 05:36:37] <hacim> if I dont specify a uid, will it just use the one that already exists for that user?
[2008/04/19 05:37:11] <shadoi> oh so the user isn't managed at all?
[2008/04/19 05:37:17] <shadoi> why not just add it?
[2008/04/19 05:37:22] <hacim> the user 'postfix' is installed with the postfix package
[2008/04/19 05:37:35] <hacim> which conflicts with the way that puppet manages it
[2008/04/19 05:37:41] <shadoi> it shouldn't hurt to define it in the manifest...
[2008/04/19 05:37:47] <hacim> here is the problem
[2008/04/19 05:37:48] <ashp> yeah, just define it on top
[2008/04/19 05:37:52] <ashp> it'll only correct the gid that way
[2008/04/19 05:38:08] <hacim> ashp: so if I do user { postfix: gid => 103 } it will only correct the gid?
[2008/04/19 05:38:14] <shadoi> yeah
[2008/04/19 05:38:26] <hacim> and ingroups => sasl will add it to that group
[2008/04/19 05:38:34] <hacim> err groups => sasl
[2008/04/19 05:38:36] <ashp> yep
[2008/04/19 05:38:46] <shadoi> but you should make it depend on the package so the user always gets created by the package and not puppet
[2008/04/19 05:39:03] <hacim> right
[2008/04/19 05:39:10] <hacim> already have require => [ Package["sasl2-bin"], Package ["postfix"] ];
[2008/04/19 05:40:05] <hacim> i need coffee
[2008/04/19 05:42:08] <benp-> require => Beverage[coffee]
[2008/04/19 05:43:05] <ashp> require => ['Beverage[scotch]','Beverage['coke']]
[2008/04/19 05:58:24] @ Quit: zobbo: "Enough no more 'tis not as sweet as it was before"
[2008/04/19 06:10:17] @ gh joined channel #puppet
[2008/04/19 06:11:04] @ emerose joined channel #puppet
[2008/04/19 06:12:04] @ londo_ is now known as londo
[2008/04/19 06:12:05] <gh> "err: Could not create stamp: Could not find a default provider for user" - does this mean that puppet cannot find /usr/sbin/useradd on my centos 5.1 system?
[2008/04/19 06:16:00] <lak> gh: if you run it in debug mode, it will tell you what providers weren't considered suitable and why
[2008/04/19 06:16:20] <e^ipi> do i need to restart the puppetmaster if i change a manifest?
[2008/04/19 06:16:31] <e^ipi> and when do the slaves pick up on the changes?
[2008/04/19 06:16:46] <lak> or, you can run puppetdoc -r providers to get a list of all providers, whether they're suitable and why not if they're not
[2008/04/19 06:16:49] <lak> it'll be in rst
[2008/04/19 06:17:07] <Wakko666> gh: likely, you need ruby-shadow
[2008/04/19 06:17:26] <lak> he shouldn't for basic user mgmt
[2008/04/19 06:17:27] <benp-> or /usr/sbin on your $PATH
[2008/04/19 06:17:45] <lak> gh: but it could easily be that /usr/sbin/ isn't in your path when you run puppet
[2008/04/19 06:18:06] <Wakko666> though, i got this error last week when i was trying to do local user management on a system that was also configured for ldap
[2008/04/19 06:18:13] <Wakko666> s/this/that
[2008/04/19 06:21:27] <sknight42> what's the 'debian' way to start iptables on boot?
[2008/04/19 06:21:37] <gh> /usr/sbin is NOT in my path by default.. how do i tell puppet to look for it in a certain place?
[2008/04/19 06:21:41] <sknight42> I just have a post-up entry for iface lo in /etc/network/interfaces
[2008/04/19 06:21:57] <sknight42> but something tells me if I tell puppet to make sure the 'iptables' service is running, it won't like that
[2008/04/19 06:22:04] <muerr> gh are you using "sudo puppetd..." ?
[2008/04/19 06:22:22] <gh> can i stick something like a { user: PATH => "$PATH:/usr/sbin" } or something similar
[2008/04/19 06:23:59] @ shenson` is now known as shenson_not_here
[2008/04/19 06:24:39] <gh> ah.. i get it.. works when root runs it, not when i sudo because its using the wrong $PATH
[2008/04/19 06:25:00] <muerr> hence i asked if you're using sudo :-)
[2008/04/19 06:25:06] <benp-> use "sudo su -" or something to inherit root's environment first
[2008/04/19 06:25:10] <benp-> or run puppetd as a service
[2008/04/19 06:25:58] <benp-> er, i mean invoke it from the init script or service command
[2008/04/19 06:28:23] @ Quit: pleemans: Remote closed the connection
[2008/04/19 06:29:56] <lak> gh: yeah, that would explain it
[2008/04/19 06:31:33] @ thecat left channel #puppet ()
[2008/04/19 06:31:33] @ Quit: stahnma: Read error: 104 (Connection reset by peer)
[2008/04/19 06:31:51] @ stahnma joined channel #puppet
[2008/04/19 06:32:48] <muerr> gh: PATH=$PATH:/sbin:/usr/sbin sudo puppetd ...
[2008/04/19 06:35:26] <plathrop> e^ipi: You do not need to restart puppetmaster when you change a manifest.
[2008/04/19 06:35:46] <plathrop> e^ipi: puppetmaster will detect the change and reload after a (usually very) short interval.
[2008/04/19 06:35:59] <plathrop> e^ipi: Then clients will pick up the change on their next run.
[2008/04/19 06:36:26] <muerr> plathrop: yup, and its every 15 or 30 seconds (can't remember which)
[2008/04/19 06:37:04] <plathrop> muerr 15 by default. I know off the top of my head because I was writing tests for LoadedFile, which is responsible for detecting changes to files.
[2008/04/19 06:37:14] <muerr> :)
[2008/04/19 06:37:37] <plathrop> Speaking of tests, I hope to write some more this weekend.
[2008/04/19 06:37:48] <plathrop> If I can figure out what a good next step is after LoadedFile
[2008/04/19 06:37:53] <shadoi> plathrop: you're a god. :)
[2008/04/19 06:38:01] <shadoi> I hate writing tests for some reason.
[2008/04/19 06:38:34] <plathrop> shadoi: Thanks for the compliment. Test-writing can be infuriating, that's for sure
[2008/04/19 06:43:08] <lak> i'm finally getting more comfortable with tdd
[2008/04/19 06:43:17] <lak> i've been doing almost all of this ssl stuff as tdd
[2008/04/19 06:43:25] <lak> and it feels like the first time it's mostly worked
[2008/04/19 06:44:51] <plathrop> lak: That's good news. It certainly makes for easily-comprehensible code, doesn't it?
[2008/04/19 06:45:03] <lak> that's the theory, yeah
[2008/04/19 06:45:06] <lak> and it's probably true
[2008/04/19 06:45:16] <lak> but it's taken me about 8 mos of kicking myself in the head to get here
[2008/04/19 06:45:22] <plathrop> lak: As long as you can figure out how to write the tests w/o twisting the code in weird ways to make it testable...
[2008/04/19 06:45:28] <lak> right
[2008/04/19 06:45:35] <lak> that's half the challenge
[2008/04/19 06:45:50] <lak> a big problem for me, too, is just trying to think in terms of behaviour instead of code
[2008/04/19 06:46:03] @ emerose_ joined channel #puppet
[2008/04/19 06:46:07] <lak> it's 100x easier with end classes, instead of integration classes
[2008/04/19 06:46:18] <shadoi> my biggest problem is I just get too involved in the problems and forget to update the tests
[2008/04/19 06:46:33] <shadoi> and then it's just a huge pain
[2008/04/19 06:48:50] <lak> yeah
[2008/04/19 06:51:00] @ Quit: emerose: Read error: 110 (Connection timed out)
[2008/04/19 06:52:34] @ emerose joined channel #puppet
[2008/04/19 06:52:48] [msg(#puppet)] ::puppet:: Puppet Book Errata edited by flakrat @ http://reductivelabs.com/trac/puppet/wiki/PuppetBookErrata
[2008/04/19 06:53:02] @ Quit: emerose_: Read error: 104 (Connection reset by peer)
[2008/04/19 06:54:51] <sknight42> question
[2008/04/19 06:55:08] <sknight42> as a matter of style, should I put a module that controls /etc/inittab (for enabling of serial consoles) into a module at all?
[2008/04/19 06:55:37] <sknight42> or since it's one file (that differs by OS only), should it just be part of baseapps with a case selector based on OS?
[2008/04/19 06:56:18] * lak always prefers resource-based rather than file based
[2008/04/19 06:56:32] <sknight42> ?
[2008/04/19 06:56:36] <sknight42> example?
[2008/04/19 06:56:49] <lak> create an inittab defined type or something
[2008/04/19 06:56:57] <lak> i'd create a native type, probably, but that's just me
[2008/04/19 06:57:33] <muerr> sknight42: we manage inittab with a file resource.
[2008/04/19 06:58:06] <sknight42> what is a 'defined type', and how does that differ from something like a template?
[2008/04/19 06:58:29] <lak> they're created with the 'define' keyword
[2008/04/19 06:58:33] <muerr> defined type is a resource collection using the 'define' keyword.
[2008/04/19 06:58:50] <muerr> similar to a function in programming languages.
[2008/04/19 06:59:15] <sknight42> so how would I create one of these mystical 'defined types'?
[2008/04/19 07:01:22] <lak> see the language tutorial
[2008/04/19 07:03:37] <plathrop> lak: Out of curiosity, how is a define superior in this case? It a) will only be a weak abstraction over File, and b) doesn't map well to the concept of defines being things you can have multiple instances of on a particular host.
[2008/04/19 07:03:45] <shadoi> muerr: thinking of defines as functions gets a lot of people into trouble I think.
[2008/04/19 07:03:50] @ Quit: jY: Remote closed the connection
[2008/04/19 07:04:17] <plathrop> shadoi: Well, it worked well to a point to bootstrap my understanding. Certainly taking the metaphor too far could get you in trouble.
[2008/04/19 07:04:49] <shadoi> yeah, I just spent a week refactoring code that was based on that assumption and it was a MESS.
[2008/04/19 07:04:58] <sknight42> ahh, I see
[2008/04/19 07:05:07] <sknight42> THAT will come in handy when I write my iptables module
[2008/04/19 07:05:26] <shadoi> sknight42: there are already a few different attempts at a native type for iptables
[2008/04/19 07:05:37] <shadoi> plenty of existing defines too I'm sure.
[2008/04/19 07:08:50] @ Quit: statik: "Coyote finally caught me"
[2008/04/19 07:09:10] <muerr> shadoi: how so?
[2008/04/19 07:12:23] <shadoi> muerr: hmm?
[2008/04/19 07:12:33] <muerr> function as define getting people in trouble
[2008/04/19 07:12:46] <shadoi> ah.. well you're creating a new _resource_ with a define
[2008/04/19 07:12:56] <shadoi> when you think of it as a function you start trying to do weird things with them
[2008/04/19 07:13:00] <shadoi> instead of declaring them
[2008/04/19 07:13:02] <muerr> what does a function provide to a typical programming language? a reusable bit of code that will do stuff based on parameters passed to it.
[2008/04/19 07:13:17] <muerr> a defined type in puppet essentially does the same thing.
[2008/04/19 07:13:31] <shadoi> muerr: just trying to pass on what I've seen.
[2008/04/19 07:14:46] @ Quit: lak:
[2008/04/19 07:17:29] @ Quit: emerose: Read error: 110 (Connection timed out)
[2008/04/19 07:18:13] <Demosthenex> regarding iptables... i just configure bastille firewall via text file...
[2008/04/19 07:19:59] @ Quit: strerror_work:
[2008/04/19 07:21:54] <shadoi> muerr: I'd show you a prime example but I think my client would murder me
[2008/04/19 07:22:09] <muerr> :)
[2008/04/19 07:22:14] <muerr> no worries.
[2008/04/19 07:32:54] @ steinmb joined channel #puppet
[2008/04/19 07:33:21] <Demosthenex> shadoi: anonymize ;]
[2008/04/19 07:34:12] <shadoi> Demosthenex: hmm?
[2008/04/19 07:35:22] @ Quit: muerr: "Leaving."
[2008/04/19 07:40:12] <Demosthenex> shadoi: you had a confidential sample
[2008/04/19 07:40:41] @ shake-n-bake joined channel #puppet
[2008/04/19 07:57:18] @ Quit: baard1973: Read error: 110 (Connection timed out)
[2008/04/19 08:01:51] <sknight42> well, looking at the recipe on the site, that doesn't do what I want
[2008/04/19 08:02:19] @ mwr joined channel #puppet
[2008/04/19 08:03:04] <sknight42> I want to have just a flat file that's specific to the type of machine (i.e. all the webservers get firewall X, all the mail servers get firewall Y), and when I edit the file back on the puppetmaster, I want it distributed to the right places and then have 'iptables-restore /etc/network/iptables" run
[2008/04/19 08:04:07] <sknight42> would that be a class, or a module?
[2008/04/19 08:04:31] <plathrop> sknight42: You can do that as part of a class, although I definitely see how a define would apply here.
[2008/04/19 08:04:31] <mwr> a module is basically a class, associated templates, and source files all collected into one folder tree.
[2008/04/19 08:04:58] <plathrop> You'd do a define firewall {
[2008/04/19 08:05:21] <plathrop> then add resources for the file and the exec that depends on the file, within the define.
[2008/04/19 08:05:39] <plathrop> But yeah, I personally would use a class :-D
[2008/04/19 08:06:04] @ lutter joined channel #puppet
[2008/04/19 08:06:35] <sknight42> any examples?
[2008/04/19 08:06:52] <plathrop> sknight42: For iptables, no. I don't use it. Sorry
[2008/04/19 08:06:58] <sknight42> hehe
[2008/04/19 08:07:06] <plathrop> sknight42: For defines, though? I have a couple
[2008/04/19 08:07:14] <mwr> I don't have any that are exactly what you're looking for, but I've got a couple of starting points. No, mine don't hav anything to do with firewalls, either.
[2008/04/19 08:07:21] <sknight42> pastebin?
[2008/04/19 08:07:28] <plathrop> pastie: hit me
[2008/04/19 08:07:28] <pastie> plathrop: are you sure, it might hurt?
[2008/04/19 08:07:45] <sknight42> hahaha!
[2008/04/19 08:07:46] <plathrop> pastie: I'm sure, man. Give me the stuff
[2008/04/19 08:07:53] <sknight42> that is the coolest little bot ever
[2008/04/19 08:08:26] <mwr> http://tinyurl.com/5dqmp5 and http://tinyurl.com/5jzbfs are two of my examples.
[2008/04/19 08:08:35] <shadoi> sknight42: I've got an iptables native type link by a guy here at stanford, hang on, let me dig it up
[2008/04/19 08:08:42] <sknight42> cool!
[2008/04/19 08:08:57] <mwr> basically, you'd need some way of deciding which iptables file to copy down (could be based off hostname easily, if not flexibly). then an exec line that subscribes to the file.
[2008/04/19 08:09:15] <sknight42> I was thinking of setting it up via nodes
[2008/04/19 08:09:15] <mwr> the exec runs the iptables.
[2008/04/19 08:09:29] <sknight42> I've got a basenode defined, which has a bunch of generic shit
[2008/04/19 08:09:37] <shadoi> http://www.stanford.edu/~priimak/soft/puppet/iptables/index.html
[2008/04/19 08:09:39] <sknight42> then I've got stuff like "node dns inherits basenode {}"
[2008/04/19 08:09:48] <plathrop> sknight42: It'll take me a minute, I've got my examples trapped in big tar files.
[2008/04/19 08:10:31] @ shake-n-bake_ joined channel #puppet
[2008/04/19 08:10:31] <sknight42> I could add "include" lines to the more specific node types calling the iptables class/definition/module/whatever
[2008/04/19 08:11:09] <sknight42> is there a way I could pass some sort of variable or tag into a genericized iptables class/module/whatever, so I can do a case statement based on that for file-subscription?
[2008/04/19 08:11:09] <mwr> yeah. $servertype='web' followed by include iptables would work if the iptables class referenced the $servertype variable.
[2008/04/19 08:11:21] <sknight42> sexy!
[2008/04/19 08:11:34] <shadoi> sknight42: look at that link, it may make it easier on you
[2008/04/19 08:11:36] <mwr> shouldn't need a case.
[2008/04/19 08:12:00] <pastie> http://pastie.org/183248 by plathrop.
[2008/04/19 08:12:16] <plathrop> sknight42: There's a really hackish define I made for xen-guests
[2008/04/19 08:12:36] <plathrop> But it uses most of the features of define, so should help
[2008/04/19 08:12:48] <mwr> Off-topic in a technical sense, but does Luke still work out of Nashville?
[2008/04/19 08:13:42] * plathrop edited the paste to show a usage example
[2008/04/19 08:15:25] <sknight42> neat!
[2008/04/19 08:16:44] <shadoi> mwr: yeah
[2008/04/19 08:17:19] <sknight42> ok, this is weird
[2008/04/19 08:17:28] <sknight42> I'm getting this error:
[2008/04/19 08:17:29] <sknight42> err: Could not retrieve catalog: Puppet::Parser::AST::Resource failed with error ArgumentError: Duplicate definition: File[] is already defined in file /etc/puppet/modules/ldap/manifests/init.pp at line 50; cannot redefine at /etc/puppet/modules/ldap/manifests/init.pp:59 on node vps004.eigvps.net
[2008/04/19 08:17:37] <mwr> thanks. working on a presentation for a higher-ed group next week, and we're all in Tennessee. If I was going to tell them he was in Nashville, I'd want it to be accurate. And he may get some local business out of it.
[2008/04/19 08:17:58] <sknight42> on this code:http://pastie.org/183258
[2008/04/19 08:18:06] <sknight42> File is only referenced once, AFAICT
[2008/04/19 08:19:04] <plathrop> sknight42: Superfluous }: on line 47
[2008/04/19 08:19:36] <plathrop> I see what you are trying to do, but I think your syntax is off
[2008/04/19 08:19:55] <sknight42> what do you mean 'superfluous'? if that's not there, how will the file descriptor close?
[2008/04/19 08:19:57] <plathrop> I could be wrong, and in fact I am
[2008/04/19 08:20:01] <plathrop> :-P
[2008/04/19 08:20:01] <mwr> the line 15 stanza is odd. wouldn't that attempt to write libnss-ldap.conf and pam_lda.conf out of the contents of libnss-ldap.conf ?
[2008/04/19 08:20:09] <sknight42> they're identical
[2008/04/19 08:20:11] <Volcane> no i think the problem is that you have
[2008/04/19 08:20:13] <sknight42> at least in our environment
[2008/04/19 08:20:17] <Volcane> default => ""
[2008/04/19 08:20:25] <Volcane> which will result in file{"":...}
[2008/04/19 08:20:42] <plathrop> Volcane is right
[2008/04/19 08:20:45] <plathrop> That's the problem
[2008/04/19 08:20:49] <sknight42> ahhh
[2008/04/19 08:20:51] @ Quit: a-priori:
[2008/04/19 08:20:54] <Volcane> :)
[2008/04/19 08:20:57] <sknight42> facter \| grep operating gives me this:
[2008/04/19 08:21:08] <sknight42> operatingsystem => CentOS
[2008/04/19 08:21:21] <sknight42> is the matching in case statements case-sensitive?
[2008/04/19 08:21:24] <plathrop> What you want is default => undef
[2008/04/19 08:21:38] <sknight42> no quotes?
[2008/04/19 08:21:46] <plathrop> no quotes
[2008/04/19 08:21:49] <plathrop> it's a keyword
[2008/04/19 08:22:16] <plathrop> Of ourse, what you really want is to do this right
[2008/04/19 08:22:22] <plathrop> I'll paste an example
[2008/04/19 08:22:24] <plathrop> Hold on
[2008/04/19 08:22:45] <sknight42> see, now I'm getting this: err: Could not retrieve catalog: Puppet::Parser::AST::Resource failed with error ArgumentError: Duplicate definition: File[undef] is already defined in file /etc/puppet/modules/ldap/manifests/init.pp at line 50; cannot redefine at /etc/puppet/modules/ldap/manifests/init.pp:59 on node vps004.eigvps.net
[2008/04/19 08:23:06] <Volcane> you want to not put a file there if its a certain OS
[2008/04/19 08:23:11] <sknight42> correct
[2008/04/19 08:23:23] <Volcane> class some_ldap_file { file{"blah": ....}}
[2008/04/19 08:23:24] <Volcane> ok
[2008/04/19 08:23:26] <Volcane> then in your main
[2008/04/19 08:23:29] <Volcane> do a case
[2008/04/19 08:23:39] <Volcane> and only include some_ldap_file on the Os that will need it
[2008/04/19 08:23:58] <plathrop> sknight42: Okay if I edit your paste to show you?
[2008/04/19 08:23:59] <sknight42> wait, what?
[2008/04/19 08:24:08] <sknight42> volcane: I have no idea what you just said :-p
[2008/04/19 08:24:17] <Volcane> hehe
[2008/04/19 08:24:18] <sknight42> plathrop: sure
[2008/04/19 08:24:18] <plathrop> sknight42: I'm about to demonstrate.
[2008/04/19 08:24:29] @ Quit: shake-n-bake: Read error: 110 (Connection timed out)
[2008/04/19 08:24:46] <plathrop> pastie: link me
[2008/04/19 08:25:52] @ pdt joined channel #puppet
[2008/04/19 08:27:46] <Volcane> heh
[2008/04/19 08:29:10] * plathrop is refactoring, please wait
[2008/04/19 08:31:15] <Volcane> sknight42: you can also save a bit of hassle and make things clearer with constructs like:
[2008/04/19 08:32:13] <Volcane> $ldap_packages = $operatingsystem ? {
[2008/04/19 08:32:34] <Volcane> centos => [ .... ],
[2008/04/19 08:32:40] <Volcane> debian => [ .....],
[2008/04/19 08:32:43] <Volcane> }
[2008/04/19 08:32:44] <Volcane> etc
[2008/04/19 08:33:16] <Volcane> see http://reductivelabs.com/trac/puppet/wiki/LanguageTutorial#variables for samples
[2008/04/19 08:35:02] <sknight42> I already do that
[2008/04/19 08:35:07] <sknight42> look at the top of the file
[2008/04/19 08:35:17] <Volcane> oh i see you use that, but yeah in that one sample of the lap package you can remove some extra lines
[2008/04/19 08:35:29] <sknight42> all the file{} statements are just what needs to be done AFTER the packages are installed
[2008/04/19 08:35:49] <pastie> http://pastie.org/183264 by plathrop.
[2008/04/19 08:35:55] <Volcane> they dont get executed in order what you specify them
[2008/04/19 08:36:11] <Volcane> so just by having the package bit lited first doesnt mean it will get installed first
[2008/04/19 08:36:13] @ Quit: nigelk:
[2008/04/19 08:36:15] <plathrop> sknight42: So that paste is partly what you need to change
[2008/04/19 08:36:21] <mwr> the pattern I end up using often is "config file requires package, service requires package and file"
[2008/04/19 08:36:25] <plathrop> sknight42: You also need dependencies like Volcane is saying
[2008/04/19 08:36:28] <sknight42> damn plathrop, that's downright sexy
[2008/04/19 08:36:47] <mwr> that way, the package gets installed first, then my config file, and the service gets restarted as soon as the new file comes in.
[2008/04/19 08:37:01] <plathrop> sknight42: Nah, sexy is my ldap module, but it isn't quite ready for the public yet
[2008/04/19 08:37:32] <plathrop> sknight42: Soon I'll share it. It's debian-only now, but it is written to be easily patched for other OSes
[2008/04/19 08:38:23] <Volcane> plathrop: see quite a bit of duplication in your exaple, I would make a class for the ldap.conf file, lets say call it ldap_config and just include it several time where needed
[2008/04/19 08:38:32] <Volcane> plathrop: taht way you have one place to edit if you wish to change permissions etc
[2008/04/19 08:38:39] <Volcane> and the case statement is less clusttered
[2008/04/19 08:38:55] <sknight42> so how should I structure the dependancies?
[2008/04/19 08:39:06] <plathrop> Volcane: I just refactored what is there :-P I wouldn't do it that way myself
[2008/04/19 08:39:14] <plathrop> I was just trying to show the proper use of case
[2008/04/19 08:39:19] <Volcane> but thats just really readability enhancements not functional
[2008/04/19 08:39:25] <Volcane> plathrop: nods nods
[2008/04/19 08:39:28] <mwr> dependencies example: http://tinyurl.com/5jzbfs
[2008/04/19 08:39:34] <plathrop> because the way it was written was a monstrosity. No offense, sknight42
[2008/04/19 08:39:41] <Volcane> plathrop: hehe
[2008/04/19 08:40:47] <mwr> you can ignore the facter-related stuff there. but the file entry has a require => Package[ntp] and the service entry has a require => [ File[ntpconf], Package[ntp] ]
[2008/04/19 08:40:53] <sknight42> none taken
[2008/04/19 08:41:09] <sknight42> this is my first puppet install, so I'm fully aware that it's gonna look nightmarish
[2008/04/19 08:41:13] <sknight42> I just want to get SOMETHING in place
[2008/04/19 08:41:20] <sknight42> right now, ANYTHING is better than for-loops
[2008/04/19 08:41:39] <Volcane> file{"/etc/blah": source => puppet:///etc/blah; require => Package["ldap"] }
[2008/04/19 08:41:48] <mwr> using puppet to distribute authorized keys and then installing dsh on the puppetmaster is better, too.
[2008/04/19 08:42:06] <mwr> but only barely.
[2008/04/19 08:42:27] <plathrop> mwr: Imperative tools still have their uses, IMO
[2008/04/19 08:42:29] <sknight42> now is that Package the actual package as seen by apt-get?
[2008/04/19 08:42:42] <mwr> no argument there.
[2008/04/19 08:42:42] <sknight42> or is that the $ldap_packages variable from puppet?
[2008/04/19 08:42:52] <Volcane> sknight42: it would be $ldap_package
[2008/04/19 08:42:58] <sknight42> ok, cool
[2008/04/19 08:42:59] <plathrop> sknight42: you'd do require => Package[$ldap_package]
[2008/04/19 08:43:15] <sknight42> could I put that in the File object up at the very top?
[2008/04/19 08:43:22] <plathrop> sknight42: Bad idea
[2008/04/19 08:43:27] <sknight42> awwww
[2008/04/19 08:43:40] <plathrop> Well, maybe not
[2008/04/19 08:43:45] * Volcane would split this into several classes
[2008/04/19 08:43:50] <plathrop> My knee-jerk reaction is that it would cause problems.
[2008/04/19 08:44:01] <Volcane> ldap_package, ldap_config, ldap_server
[2008/04/19 08:44:07] <Volcane> in ldap_package you install all the stuff
[2008/04/19 08:44:11] <plathrop> pastie: show me some love
[2008/04/19 08:44:13] * mwr punted to winbind and active directory.
[2008/04/19 08:44:15] <Volcane> in ldap_config you install all the configs
[2008/04/19 08:44:20] <pastie> http://pastie.org/183271 by plathrop.
[2008/04/19 08:44:25] <Volcane> and in ldap_server you include the other ones
[2008/04/19 08:44:30] <plathrop> Check that out
[2008/04/19 08:44:34] @ nigelk joined channel #puppet
[2008/04/19 08:44:40] <plathrop> It's part of my ldap module. Still in progress, though!
[2008/04/19 08:45:17] <plathrop> This version still doesn't have the framework to make it easy to port to other OSes
[2008/04/19 08:45:18] <sknight42> yeah, putting it in the file thinger up top gives this:
[2008/04/19 08:45:18] <sknight42> warning: Configuration could not be instantiated: Could not find dependency Package[] for File[/etc/ldap.conf] at /etc/puppet/modules/ldap/manifests/init.pp:20; using cached catalog
[2008/04/19 08:46:07] <mwr> typo? $ldap_package instead of $ldap_packages?
[2008/04/19 08:47:57] <sknight42> ah hah
[2008/04/19 08:48:10] <sknight42> warning: Configuration could not be instantiated: Could not find dependency Package[nss_ldapopenldap-clients] for File[/etc/ldap.conf] at /etc/puppet/modules/ldap/manifests/init.pp:20; using cached catalog
[2008/04/19 08:48:45] <sknight42> do I need to quote it at all?
[2008/04/19 08:48:55] <plathrop> In a perfect world, I would like to make it so you could set something like $ldap_implementation = openldap in site.pp to use openldap, or $ldap_implementation = some_other_implementation to use a different one.
[2008/04/19 08:49:03] <plathrop> But that's pie-in-the sky at this point
[2008/04/19 08:50:17] <Volcane> the whole thing becomes simpler if you split it up in sub classes
[2008/04/19 08:50:32] <Volcane> logic for which package to install in class ldap_packages
[2008/04/19 08:50:47] <Volcane> and dependencies in all the rest for Class["ldap_packages"]
[2008/04/19 08:50:55] <Volcane> so much simpler and less cluttered
[2008/04/19 08:51:00] <Volcane> and encourage thinking in small chunks
[2008/04/19 08:51:23] <plathrop> I'd use namespaces, though
[2008/04/19 08:51:36] <plathrop> ldap::packages instead of ldap_packages
[2008/04/19 08:51:42] <sknight42> I guess I'm just not seeing the difference between a class and a module at this point, the way you guys are discussing it
[2008/04/19 08:51:42] <Volcane> plathrop: sure, but we're keeping it simple cos sknight42 is still learning :)
[2008/04/19 08:51:57] <sknight42> 'a module is a collection of yada yada yada', yeah, I know
[2008/04/19 08:52:02] <plathrop> sknight42: A module is a collection of classes, files, templates, plugins, custom facts, etc.
[2008/04/19 08:52:06] <Volcane> sknight42: classes inside a module to break the module up into easier to understand bits
[2008/04/19 08:52:15] <plathrop> Take a look at my paste, you'll see references to templates and such
[2008/04/19 08:52:26] <plathrop> Those are all part of the module
[2008/04/19 08:52:34] <sknight42> well, what I've got now works
[2008/04/19 08:52:36] <plathrop> Does that make more sense?
[2008/04/19 08:53:00] <sknight42> if it installs the individual files before the packages, the packages will overwrite with the defaults, yes?
[2008/04/19 08:53:16] <plathrop> sknight42: That's why you want to set up dependencies
[2008/04/19 08:53:17] <Volcane> depends, centos shouldnt
[2008/04/19 08:53:20] <sknight42> and then the next time puppet queries, it'll see that the specified files have changed md5sums and requery them
[2008/04/19 08:53:26] <Volcane> centos shoul dmake blah.conf.rpmnew
[2008/04/19 08:53:31] <Volcane> leaving existing stuff alone
[2008/04/19 08:53:39] <Volcane> but that depends on the ldap package be well behaved
[2008/04/19 08:53:50] <mwr> one module example: http://tinyurl.com/5dqmp5 -- should have enough background material to explain why it's all done that way.
[2008/04/19 08:53:50] <Volcane> best not to the chance and do proper deps in pupet
[2008/04/19 08:54:57] <sknight42> yeah, but
[2008/04/19 08:55:03] <sknight42> I don't want all that shit in a node definition
[2008/04/19 08:55:10] <sknight42> I want a node definition to be TINY
[2008/04/19 08:55:59] <plathrop> sknight42: Nobody is suggesting you put that stuff in node definitions!
[2008/04/19 08:56:19] <plathrop> brb
[2008/04/19 08:56:45] @ a-priori joined channel #puppet
[2008/04/19 08:56:51] @ Quit: pdt:
[2008/04/19 08:57:35] @ Quit: a-priori: Client Quit
[2008/04/19 09:00:46] <sknight42> I am totally stealing that mount{} definition though
[2008/04/19 09:02:06] <mwr> feel free.
[2008/04/19 09:03:57] <jamesturnbull> mwr: if it's a good one ad to the wiki in the recipes :)
[2008/04/19 09:04:30] <sknight42> it's just a good basic example
[2008/04/19 09:04:57] <mwr> yeah, every time I edit the wiki, I end up screwing up the revision note, or something else.
[2008/04/19 09:05:16] <sknight42> is there a way to tell it to ensure the mountpoint exists?
[2008/04/19 09:05:28] <mwr> if the blogging weren't practically brainless, I'd not be documenting much at all publicly.
[2008/04/19 09:05:41] <plathrop> mwr: Where's your blog?
[2008/04/19 09:05:47] <mwr> blogs.cae.tntech.edu/mwr/
[2008/04/19 09:06:01] <mwr> as pimped in various tinyurls over the last bit.
[2008/04/19 09:06:25] <sknight42> hey man, pimpin' ain't easy
[2008/04/19 09:06:28] <sknight42> but it IS necessary
[2008/04/19 09:06:31] * sknight42 bookmarks
[2008/04/19 09:06:42] <plathrop> mwr: Oh, yeah! You are one of the people that got me into puppet, mwr
[2008/04/19 09:06:45] <mwr> in my case, /home always exists. In the general case, have the mount require => File["/mountpoint"] and define a file {"mountpoint": elsewhere
[2008/04/19 09:06:52] <mwr> debian-administration?
[2008/04/19 09:07:05] <plathrop> mwr: No, your blog
[2008/04/19 09:07:11] <mwr> random search, then.
[2008/04/19 09:07:13] <plathrop> I don't remember where it got linked from
[2008/04/19 09:07:15] <sknight42> mwr: wait, what?
[2008/04/19 09:07:46] <mwr> hang on
[2008/04/19 09:07:51] <plathrop> sknight42: Some people have found my blog useful for the intro stuff, too: http://plathrop.tertiusfamily.net/blog
[2008/04/19 09:08:00] <plathrop> Of course, I'm terrible about updating
[2008/04/19 09:08:02] <plathrop> sigh
[2008/04/19 09:08:31] <mwr> http://reductivelabs.com/trac/puppet/wiki/TypeReference#file -- make a file entry, make sure it's 'ensure => directory', and set the owner and mode accordingly.
[2008/04/19 09:08:43] <mwr> then you can require it from wherever.
[2008/04/19 09:15:26] <jamesturnbull> mwr: what do you mean by revision notes?
[2008/04/19 09:15:54] <mwr> something that shows up in the rss feed as a summary of the changes made. I always forgot that.
[2008/04/19 09:17:38] <sknight42> mwr: worked like a charm!
[2008/04/19 09:17:50] * plathrop updates his blog.
[2008/04/19 09:18:27] <jamesturnbull> mwr: ah you mean the "why did I change this page note" - I think that's forgive-able in exchange for good content :P
[2008/04/19 09:18:49] @ Quit: markl_: "Lost terminal"
[2008/04/19 09:19:09] <mwr> I'll try to remember to cross-post it, then. At the moment, my main puppet-related task is finishing my slides for this presentation Tuesday.
[2008/04/19 09:19:31] <sknight42> hrmm
[2008/04/19 09:19:40] <sknight42> this looks valid, but it isn't creating the directory:
[2008/04/19 09:19:41] <sknight42> file { "/home/logins", "tools":
[2008/04/19 09:19:41] <sknight42> ensure => directory
[2008/04/19 09:19:41] <sknight42> }
[2008/04/19 09:19:46] @ Quit: steinmb:
[2008/04/19 09:20:00] <mwr> file { [ "/home/logins", "/home/tools"]:
[2008/04/19 09:20:10] <sknight42> no no, /home/logins and /tools
[2008/04/19 09:20:13] <sknight42> typo on the first line
[2008/04/19 09:21:13] @ Quit: shake-n-bake_:
[2008/04/19 09:21:15] <mwr> still needs the square brackets
[2008/04/19 09:21:21] <mwr> pretty sure.
[2008/04/19 09:21:25] <sknight42> yes it does
[2008/04/19 09:21:26] <sknight42> thanks!
[2008/04/19 09:24:04] <sknight42> now this is weird
[2008/04/19 09:24:22] <sknight42> err: //Node[basenode]/allmounts/Mount[/tools]: Failed to call refresh on Mount[/tools]: Execution of '/bin/mount -o remount /tools' returned 8192: mount.nfs: Invalid argument
[2008/04/19 09:24:38] <sknight42> but the filesystem is mounted just fine
[2008/04/19 09:25:02] <mwr> default options for mount on Linux, perhaps?
[2008/04/19 09:25:28] <sknight42> O_o
[2008/04/19 09:25:30] <mwr> mount -o remount doesn't make much sense on nfs, though, so it's right.
[2008/04/19 09:26:27] <mwr> for an nfs mount, try something like options => "timeo=15,retrans=6,defaults"
[2008/04/19 09:26:41] <sknight42> well, my options are "nfsvers=3,rsize=32768,wsize=32768,noatime,exec,dev,nosuid,ro,bg,hard,intr
[2008/04/19 09:26:50] <mwr> not in the manifest, though, right?
[2008/04/19 09:27:00] <sknight42> yes in the manifest
[2008/04/19 09:27:27] <sknight42> http://pastie.org/183286
[2008/04/19 09:27:38] <mwr> odd. might just be a bug in the mount provider, then. if you dig through mount.rb (or wherever it is), you might find an errant "-o remount" somewhere
[2008/04/19 09:27:38] @ shake-n-bake joined channel #puppet
[2008/04/19 09:27:46] <mwr> and with that, I'm off for a while.
[2008/04/19 09:27:48] <sknight42> shrug
[2008/04/19 09:27:56] <sknight42> it mounted fine, and it added to fstab without issue
[2008/04/19 09:28:07] <sknight42> that's what I call "Good Enough For Government Work(tm)"
[2008/04/19 09:28:14] <sknight42> thanks for your help, mwr! much appreciated!
[2008/04/19 09:28:22] <mwr> yep
[2008/04/19 09:28:24] @ Quit: mwr: "Leaving"
[2008/04/19 09:28:54] <shadoi> sknight42: try taking out the dump param
[2008/04/19 09:32:24] <sknight42> meh, same error
[2008/04/19 09:32:40] <shadoi> shrug
[2008/04/19 09:32:50] <sknight42> I'm not too worried about it
[2008/04/19 09:33:04] <sknight42> btw
[2008/04/19 09:33:14] <sknight42> when doing a case statement, does "centos" match "CentOS"?
[2008/04/19 09:34:42] <Demosthenex> it matches "case" ;]
[2008/04/19 09:35:32] <shadoi> sknight42: you can provide multiple matches though
[2008/04/19 09:35:41] <shadoi> centos,CentOS,CENTOS:
[2008/04/19 09:36:14] <shadoi> but if you're having issues, better to just make a custom fact that normalizes it
[2008/04/19 09:36:27] <sknight42> ok
[2008/04/19 09:38:27] @ pdt joined channel #puppet
[2008/04/19 09:51:37] <sknight42> so, if I want to run the command '/sbin/iptables-restore /etc/network/iptables' every time that file is changed, do I want to use a notify, or a subscription?
[2008/04/19 09:52:32] <plathrop> sknight42: Yes
[2008/04/19 09:52:37] <plathrop> :-P
[2008/04/19 09:53:06] <plathrop> It's a style thing. Some people prefer notify, others prefer subscribe, they do much the same thing. It's all about how you think of the relationship in your head
[2008/04/19 09:53:40] @ Quit: nigelk:
[2008/04/19 09:56:22] <sknight42> alright, so how would I do it with notify?
[2008/04/19 09:56:27] <sknight42> do I need to define a service?
[2008/04/19 09:59:10] <sknight42> I wish the puppet book had an index :=/
[2008/04/19 10:00:21] <plathrop> sknight42: One sec, I'll show you an example
[2008/04/19 10:00:28] <sknight42> schweet!
[2008/04/19 10:00:29] <plathrop> pastie: show me the love
[2008/04/19 10:00:42] <sknight42> email me next time you're in Boston, Paul. Beer's on me! :-p
[2008/04/19 10:02:20] <pastie> http://pastie.org/183296 by plathrop.
[2008/04/19 10:02:40] <plathrop> Not iptables, but same concepts
[2008/04/19 10:02:47] <plathrop> Let me know if you have any questions.
[2008/04/19 10:02:50] <sknight42> oh, very cool
[2008/04/19 10:02:58] <sknight42> I thought I'd have to define a service and get all weird with it
[2008/04/19 10:02:58] <plathrop> I don't make it to Boston often, but if I do, I'll let ya know ;-)
[2008/04/19 10:03:39] <plathrop> sknight42: Just FYI, the best style would be to define a type for this sort of thing, but I'm a big fan of getting something that works, and then improving stylistically over time
[2008/04/19 10:03:48] <sknight42> a 'type'?
[2008/04/19 10:04:02] <plathrop> sknight42: Don't know. I haven't got that far :-P
[2008/04/19 10:04:04] @ Quit: ianm: "Waiting for the deus ex machina"
[2008/04/19 10:04:09] <plathrop> sknight42: Just know what I've heard here.
[2008/04/19 10:05:06] <sknight42> hehe fair enough
[2008/04/19 10:11:24] @ Quit: shadoi: Read error: 110 (Connection timed out)
[2008/04/19 10:11:59] @ Rainhead left channel #puppet ()
[2008/04/19 10:15:01] @ gh left channel #puppet ()
[2008/04/19 10:22:59] <sknight42> anyone awake?
[2008/04/19 10:23:18] <sknight42> I'mma getting this error:
[2008/04/19 10:23:18] <sknight42> err: //Node[basenode]/iptables/File[/etc/network/iptables]/ensure: change from absent to file failed: Could not set file on ensure: No such file or directory - /etc/network/iptables.puppettmp at /etc/puppet/modules/iptables/manifests/init.pp:26
[2008/04/19 10:23:43] <plathrop> Show me the manifest!
[2008/04/19 10:23:51] <sknight42> http://pastebin.com/d6e82d7b2
[2008/04/19 10:23:55] <sknight42> oh hey man, I thought you bailed
[2008/04/19 10:25:20] <plathrop> First question, does /etc/network exist already?
[2008/04/19 10:25:30] <plathrop> Nah, I'll be around until I finish this blog post
[2008/04/19 10:25:38] <sknight42> not on centos
[2008/04/19 10:25:43] <sknight42> it's /etc/sysconfig
[2008/04/19 10:26:01] <sknight42> but on debian, /etc/network does indeed exist
[2008/04/19 10:26:27] <Volcane> heh, theres a lesson here
[2008/04/19 10:26:31] <plathrop> sknight42: Well then, why are you saying "/etc/network/iptables in yer CentOS case? Line 18
[2008/04/19 10:26:38] <Volcane> standardise your choice of operating system! :)
[2008/04/19 10:26:39] <sknight42> ...
[2008/04/19 10:26:41] <sknight42> goddammit
[2008/04/19 10:26:42] <plathrop> Also, you could make this simple
[2008/04/19 10:26:54] <plathrop> You can use variables almost everywhere
[2008/04/19 10:27:03] <sknight42> ...?
[2008/04/19 10:27:16] <sknight42> and still have the fallthrough of hostname -> osname -> generic default?
[2008/04/19 10:27:21] <plathrop> so you could do notify => Exec["iptables-$operatingsystem restore"];
[2008/04/19 10:27:41] <sknight42> ...?
[2008/04/19 10:28:15] <plathrop> Volcane: Totally, that's a good plan. Some people don't have the luxury, though.
[2008/04/19 10:28:20] <plathrop> sknight42: You don't get what I'm saying?
[2008/04/19 10:28:43] <sknight42> I do, but I'd still have to have an exec at the end of every file descriptor
[2008/04/19 10:28:45] <sknight42> oh wait
[2008/04/19 10:28:48] <Volcane> sknight42: exec{"iptables-debian restore": ....} and exec{"iptables-CentOS restore": ...}
[2008/04/19 10:28:53] <sknight42> I could stick it in File up top, right?
[2008/04/19 10:29:04] <plathrop> With a little thought, you can simplify your manifest by using variables, is all I'm really saying
[2008/04/19 10:29:07] <sknight42> cuz this is a class, and puppet scopes it's variables
[2008/04/19 10:29:08] <Volcane> and then you notify as plathrop showed
[2008/04/19 10:29:34] <plathrop> Just a thought. Do it however it makes sense in your brain. I just like to repeat myself as little as possible
[2008/04/19 10:29:43] <sknight42> haha fair enough
[2008/04/19 10:30:17] <sknight42> but I should be able to define this in the File statement at the top, right?
[2008/04/19 10:30:24] <sknight42> so I don't even need three different notify events
[2008/04/19 10:31:10] <plathrop> sknight42: I think so.
[2008/04/19 10:31:21] <plathrop> sknight42: I'd do it differently.
[2008/04/19 10:31:45] <plathrop> sknight42: I'd put in a file resource for /etc/network/iptables.
[2008/04/19 10:32:06] <sknight42> I did put in a file resource for that
[2008/04/19 10:32:17] <sknight42> file { [ "/etc/network/iptables" ]:
[2008/04/19 10:32:18] <sknight42> source => [
[2008/04/19 10:32:18] <sknight42> "puppet:///iptables/iptables.$hostname",
[2008/04/19 10:32:18] <sknight42> "puppet:///iptables/iptables.$operatingsystem",
[2008/04/19 10:32:18] <sknight42> "puppet:///iptables/iptables"
[2008/04/19 10:32:18] <sknight42> ],
[2008/04/19 10:32:18] <plathrop> Stay with me, I'm not done
[2008/04/19 10:32:20] <sknight42> notify => Exec["iptables-deb restore"];
[2008/04/19 10:32:22] <sknight42> }
[2008/04/19 10:32:24] <sknight42> ahh ok
[2008/04/19 10:32:27] * sknight42 sits patiently, and listens to The Master
[2008/04/19 10:32:42] <plathrop> Then I'd make a case or if for just centos, that made a link from that to wherever CentOS expects it... Here, a paste will be better.
[2008/04/19 10:32:52] <plathrop> pastie: I am your lord and master!
[2008/04/19 10:33:12] <Demosthenex> hrm, a list of sources.
[2008/04/19 10:33:51] * Volcane would very much frown on making files the OS expect, like /etc/sysonfig/iptables, symlinks
[2008/04/19 10:34:36] <Volcane> if they're files, and left to work the way the OS intended, you know rpm upgrades wot do Weird Stuff
[2008/04/19 10:34:54] <Demosthenex> er, the file stanza won't make a symlink
[2008/04/19 10:35:14] <Demosthenex> its ensure => file that'll make a link, source creates a separate file
[2008/04/19 10:35:14] <Volcane> based on what plathrop is suggesting
[2008/04/19 10:35:51] <pastie> http://pastie.org/183305 by plathrop.
[2008/04/19 10:35:56] <sknight42> yeah, I'm not a big fan of the symlink solution either
[2008/04/19 10:35:59] <Demosthenex> i must have missed that aprt
[2008/04/19 10:36:13] <sknight42> redhat boxes ARE going to have very different firewalls from Debian boxes, and ne'er the two should cross
[2008/04/19 10:36:20] <plathrop> Well, that's what I'd do
[2008/04/19 10:36:28] <plathrop> If you don't like it, that's cool :-D
[2008/04/19 10:36:51] <Volcane> yeah making /etc/network on a centos box would just make it confusing and add a whole new learning curve turnin them into Your Centos machines rather than Centos machines
[2008/04/19 10:36:57] <plathrop> Honestly, what I'd do is kill the CentOS box until it was dead, and kill it again.
[2008/04/19 10:36:59] <Demosthenex> hrm, i see the point about symlinks, but there's no reason puppet couldn't maintain the copy.
[2008/04/19 10:37:06] <sknight42> plathrop: I like your style!
[2008/04/19 10:37:10] <plathrop> Volcane: But Puppet solves that problem.
[2008/04/19 10:37:10] <sknight42> (re: killing CentOS)
[2008/04/19 10:37:19] <sknight42> unfortuntaely, we're using Virtuozzo, which ONLY runs on headrat
[2008/04/19 10:37:22] <Demosthenex> (who would want to copy redhat anyway? yuck!)
[2008/04/19 10:37:28] <sknight42> Sales got to make the promises, I'm just stuck keeping them
[2008/04/19 10:37:36] <plathrop> sknight42: Just do a copy instead of a symlink, then.
[2008/04/19 10:37:39] <plathrop> HEre, like this:
[2008/04/19 10:37:46] <Demosthenex> as to keeping firewalls consistent, i use bastille firewall
[2008/04/19 10:37:51] <Demosthenex> uses the same config file on multiple osses
[2008/04/19 10:37:54] <sknight42> wait a sec, plathrop
[2008/04/19 10:38:01] <plathrop> http://pastie.org/183305
[2008/04/19 10:38:04] <sknight42> but that method makes an /etc/network/iptables on a headrat box
[2008/04/19 10:38:36] <plathrop> Yes, it does, and I don't really see a problem with that, if it helps you manage your boxes consistently.
[2008/04/19 10:38:36] <sknight42> in addition to creating the proper /etc/sysconfig/iptables
[2008/04/19 10:38:52] <Demosthenex> why not declare a variable for the correct location?
[2008/04/19 10:38:56] <Volcane> plathrop: yeah, and the whole point of puppet is doing thing the way the OS expects on various OSs not to break the OS and massage it into kind of working :P
[2008/04/19 10:38:59] <Demosthenex> and then the rest of the logic is generic
[2008/04/19 10:39:12] <plathrop> Demosthenex: That's another solution
[2008/04/19 10:39:30] <Demosthenex> i thought it silly to run the same command with diff files in the exec portion
[2008/04/19 10:39:45] <sknight42> hahaha
[2008/04/19 10:39:47] <sknight42> I'm such a nerd
[2008/04/19 10:39:51] <plathrop> Volcane: Maybe from your perspective. The point of Puppet for me is consistent management, however it is achieved.
[2008/04/19 10:40:01] <sknight42> I'm arguing over optimal variable declarations, AT WORK, ON A FRIDAY
[2008/04/19 10:40:06] <plathrop> Volcane: If it broke, I'd do it another way
[2008/04/19 10:40:07] <sknight42> at 8:40pm :-)
[2008/04/19 10:40:18] <plathrop> sknight42: Yay nerdosity!
[2008/04/19 10:40:21] <plathrop> Is that a word?
[2008/04/19 10:40:23] <plathrop> :-P
[2008/04/19 10:40:24] <sknight42> it is now
[2008/04/19 10:40:39] <plathrop> I'm definitely not saying that my way is best. I'm trying to show people other ways to use Puppet.
[2008/04/19 10:40:41] <sknight42> Demosthenex might have a point
[2008/04/19 10:40:50] <Demosthenex> update your case statement to include the filename
[2008/04/19 10:40:51] <plathrop> Demosthenex has a good point.
[2008/04/19 10:40:55] <plathrop> I like his style
[2008/04/19 10:40:58] <Demosthenex> rather a variable that points tot he right file
[2008/04/19 10:41:00] <sknight42> so I could do something like:
[2008/04/19 10:41:03] * Demosthenex strikes a pose.
[2008/04/19 10:41:31] <Demosthenex> now, i go to take my wife to dinner and a bottle o wine. =]
[2008/04/19 10:41:37] * plathrop is only focusing a small part of his brain on this, finishing stuff up for his actual job :-P
[2008/04/19 10:42:43] <sknight42> case $operatingsystem { debian: { $iptables-loc => /some/weird/path }, CentOS: { $iptables-loc => /some/other/path }
[2008/04/19 10:43:16] <Demosthenex> Suse: => /off/the/beaten/path
[2008/04/19 10:44:16] <Demosthenex> you might check whether the save-iptables dump changes format between distros and versions...
[2008/04/19 10:44:20] <Demosthenex> i seem to recall a problem there
[2008/04/19 10:44:20] <sknight42> it does not
[2008/04/19 10:44:28] <sknight42> not at kernel level 2.6
[2008/04/19 10:44:31] <Demosthenex> may have been a while back ;]
[2008/04/19 10:44:37] <sknight42> so I've already got this case statement:
[2008/04/19 10:44:43] <sknight42> case $operatingsystem {
[2008/04/19 10:44:43] <sknight42> CentOS: { $iptables_packages = ["iptables"] }
[2008/04/19 10:44:43] <sknight42> debian: { $iptables_packages = ["iptables"] }
[2008/04/19 10:44:43] <sknight42> }
[2008/04/19 10:44:47] <sknight42> can I just add it onto there?
[2008/04/19 10:44:51] <Volcane> $iptables-los = $operatingsystem ? { debian => "/some/weird/path }, CentOS => "/some/sensible/path" }
[2008/04/19 10:45:10] <sknight42> ahh ok
[2008/04/19 10:45:19] <sknight42> I can never remembe which statement style to use
[2008/04/19 10:45:25] <Volcane> or extend the case you just pasted and do all your variable assigns in those blocks
[2008/04/19 10:45:28] <Volcane> and just have one
[2008/04/19 10:46:01] <Volcane> so right at top define all the vars you need for all the operating systems and then just use teh data later on
[2008/04/19 10:46:10] <Volcane> should make things much more readable
[2008/04/19 10:47:10] @ johnf joined channel #puppet
[2008/04/19 10:47:18] <sknight42> is this valid:
[2008/04/19 10:47:18] <sknight42> http://pastie.org/183310
[2008/04/19 10:47:42] <Volcane> yeah