Monday, 2009-05-25

« Sunday, 2009-05-24 Index Tuesday, 2009-05-26 »
[2009/05/25 00:10:50] @ Log started by gepetto
[2009/05/25 00:10:50] @ PaulWay joined channel #puppet
[2009/05/25 00:39:18] @ Quit: kelseyhightower:
[2009/05/25 00:39:50] @ Quit: hessml: "Leaving..."
[2009/05/25 00:40:24] @ hessml joined channel #puppet
[2009/05/25 00:49:15] @ ssm joined channel #puppet
[2009/05/25 00:51:49] @ Quit: shake-n-bake:
[2009/05/25 01:01:55] @ PhabX joined channel #puppet
[2009/05/25 01:07:44] @ Quit: nearthal: Remote closed the connection
[2009/05/25 01:15:14] @ Quit: d3vilb0x:
[2009/05/25 01:41:10] @ jmeeuwen joined channel #puppet
[2009/05/25 01:49:29] @ Quit: joe-mac: "Leaving."
[2009/05/25 01:49:31] @ Quit: andrewcshafer:
[2009/05/25 01:53:27] @ Quit: mfoster: "Leaving."
[2009/05/25 02:04:14] @ mfournier joined channel #puppet
[2009/05/25 02:11:31] @ Quit: hessml: "Leaving..."
[2009/05/25 02:16:52] @ Quit: pugnacity: "Leaving."
[2009/05/25 02:17:25] @ pugnacity joined channel #puppet
[2009/05/25 02:18:50] @ Quit: fbe: Read error: 60 (Operation timed out)
[2009/05/25 02:21:54] @ nasrat joined channel #puppet
[2009/05/25 02:28:39] @ FengBlao joined channel #puppet
[2009/05/25 02:44:00] <nasrat> anyone got a freebsd box to hand?
[2009/05/25 02:48:11] <jamesturnbull> nasrat: me
[2009/05/25 02:48:38] <jamesturnbull> nasrat: but I need to go home to access it - I have a 7.2 VM at home
[2009/05/25 02:48:48] <nasrat> ah ok
[2009/05/25 02:48:56] <nasrat> I'm just dl'ing dvd
[2009/05/25 02:49:10] <jamesturnbull> wqorth doing anyway I suspect
[2009/05/25 02:49:17] <nasrat> yeah
[2009/05/25 02:49:18] <jamesturnbull> I also have netbsd and need to install nad open
[2009/05/25 02:49:57] <jamesturnbull> ah though I have 7.2 amd64
[2009/05/25 02:50:03] @ Quit: madrescher: "Leaving."
[2009/05/25 02:50:03] <jamesturnbull> so no use for that ticket
[2009/05/25 02:50:33] @ Innocenti joined channel #puppet
[2009/05/25 02:51:16] <jamesturnbull> nasrat: when I have more time I am going to create a small army of AMIs on Amazon and use then as a giant test farm
[2009/05/25 02:51:23] <nasrat> yeah
[2009/05/25 02:51:33] <jamesturnbull> nasrat: and the backend of a Ci engine
[2009/05/25 02:51:36] <nasrat> I just discovered thoughtpolice.co.uk which has a bunch of vms
[2009/05/25 02:52:38] <nasrat> freebsd xen support doesn't support 3.0.3 and thus not EC2
[2009/05/25 02:52:52] @ pleemans joined channel #puppet
[2009/05/25 02:53:13] <webx> is there any major difference in the 24.8 handling of ssh auth keys that I didn't see in any of the release docs
[2009/05/25 02:53:31] <jamesturnbull> webx: no that I remember
[2009/05/25 02:53:51] <webx> http://pastie.org/488421
[2009/05/25 02:53:59] <webx> behavior is definitely different
[2009/05/25 02:54:10] <webx> my manifest doesn't work at all with 24.8
[2009/05/25 02:54:34] <webx> I can add traces/debug if necessary.. but I figured I'd ask first before going all heavy into it
[2009/05/25 02:54:40] <jamesturnbull> webx: webx that's the changelog - http://projects.reductivelabs.com/projects/puppet/changelog#0.24.8
[2009/05/25 02:54:46] <jamesturnbull> webx: every ticket closed
[2009/05/25 02:55:31] <webx> yeah, I see that.. and something about a refactoring of authorized_keys
[2009/05/25 02:55:41] <webx> which is why I was wondering if the syntax or anything changed
[2009/05/25 02:55:55] <jamesturnbull> webx: there was one tickets in 0.24.7 I think hmmm #1737
[2009/05/25 02:55:56] <gepetto> jamesturnbull: webx: #1737 is http://projects.reductivelabs.com/issues/show/1737 "Puppet - Bug #1737: ssh_autorized_key cannot parse lines with a command containing a comma - ReductiveLabs.com"
[2009/05/25 02:56:19] <jamesturnbull> webx: where did you see the refactor com,ment?
[2009/05/25 02:56:33] <webx> in the changelog you posted
[2009/05/25 02:56:33] * jamesturnbull will brb - work
[2009/05/25 02:56:58] <webx> http://projects.reductivelabs.com/issues/1644
[2009/05/25 02:57:49] @ mvn071 joined channel #puppet
[2009/05/25 02:57:51] <nasrat> git log 0.24.7..0.24.8 --
[2009/05/25 02:59:12] <webx> using a very basic syntax, similar to mine, is anyone able to have authorized_keys updated with 24.8?
[2009/05/25 03:00:30] <webx> if it matters, my server is still 24.6 but the client is 24.8. I didn't want to go upgrading the server yet, but I don't know if it's necessary
[2009/05/25 03:01:07] @ aymerick joined channel #puppet
[2009/05/25 03:01:57] <nasrat> webx: can you try without the target => and link
[2009/05/25 03:02:30] <nasrat> also you can just test on the client with puppet binary
[2009/05/25 03:02:44] <webx> sure, sec
[2009/05/25 03:03:02] <webx> regarding without target and link.. by default, I believe puppet writes to "authorized_keys" right?
[2009/05/25 03:03:41] @ MarlondB joined channel #puppet
[2009/05/25 03:06:52] @ eythian joined channel #puppet
[2009/05/25 03:07:54] <nasrat> webx: hmm the provider docs don't say I'll check the src
[2009/05/25 03:07:56] <nasrat> http://reductivelabs.com/trac/puppet/wiki/TypeReference#ssh-authorized-key
[2009/05/25 03:09:09] @ francois joined channel #puppet
[2009/05/25 03:09:48] <nasrat> oh target is mandatory
[2009/05/25 03:10:17] <webx> figured it was.. I'll test with it
[2009/05/25 03:12:37] <nasrat> http://gist.github.com/117422
[2009/05/25 03:12:51] <nasrat> that's the change to the type between 0.24.7 and 0.24.8
[2009/05/25 03:13:07] <webx> http://pastie.org/488807
[2009/05/25 03:13:43] @ nakano is now known as nakano_
[2009/05/25 03:13:55] @ nakano_ is now known as nakano
[2009/05/25 03:14:59] <webx> I tried with quoting the target as well without any changes
[2009/05/25 03:15:15] <nasrat> webx: you need to include the class at the bottom of that to test locally with puppet
[2009/05/25 03:15:50] <webx> ah, yes I do
[2009/05/25 03:15:54] <webx> I was wondering wtf
[2009/05/25 03:16:47] <francois> webx: some troubles with ssh_authorized_key ?
[2009/05/25 03:17:06] <webx> francois: yes
[2009/05/25 03:17:24] <nasrat> based on the tests target should be a absolute path
[2009/05/25 03:17:33] <nasrat> the tests say
[2009/05/25 03:17:53] <nasrat> if user and no target use ~USER/.ssh/authorized_keys
[2009/05/25 03:18:00] <nasrat> else use target
[2009/05/25 03:18:06] <francois> yes, that's right
[2009/05/25 03:18:20] <francois> I've never tested it with relative paths
[2009/05/25 03:19:01] <nasrat> it seems that was working in 0.24.7, but wasn't explicint
[2009/05/25 03:19:14] <nasrat> we need to improve the puppetdoc for that type
[2009/05/25 03:19:19] <francois> do you have an example of such usage ?
[2009/05/25 03:19:28] <francois> yeah, definitely
[2009/05/25 03:19:43] @ Quit: PhabX: "Leaving..."
[2009/05/25 03:19:59] <nasrat> francois: see webx's pastie http://pastie.org/488421
[2009/05/25 03:20:57] <webx> so target requires full path. I'll try it that way
[2009/05/25 03:22:05] <francois> mmh, interesting
[2009/05/25 03:22:22] <francois> I guess that relative path depends on puppetd current working directory
[2009/05/25 03:22:39] <webx> yea, with 24.8 if I just comment out target
[2009/05/25 03:22:52] <webx> it works fine and shoves it in $USER/.ssh/authorized_keys
[2009/05/25 03:23:02] <francois> didn't "target => authorized_keys2" created a /root/authorized_keys2 file ?
[2009/05/25 03:23:17] <webx> it does in 24.5 and 24.7, unless I'm retarded
[2009/05/25 03:23:25] <webx> which is possible
[2009/05/25 03:23:30] <webx> let me double check again
[2009/05/25 03:23:49] <francois> webx: cool, if it works under previous versions, it's an interesting side effect
[2009/05/25 03:23:53] @ Quit: jmeeuwen: Read error: 110 (Connection timed out)
[2009/05/25 03:24:51] <francois> I should probably update the doc to say that target must be an absolute path
[2009/05/25 03:25:04] <webx> we set the link up for authorized_keys2 to point to authorized_keys
[2009/05/25 03:25:12] <webx> but the target points to authorized_keys2
[2009/05/25 03:25:29] <webx> so either the target is being ignored completely and it's just writing to authorized_keys
[2009/05/25 03:25:40] <webx> or the relative path works fine and it's writing to authorized_keys2
[2009/05/25 03:25:54] <francois> BTW, target is only useful in special cases where you want to put keys in a "non-default" location
[2009/05/25 03:26:14] <webx> right
[2009/05/25 03:26:36] <webx> I will change our class after this to exclude the target and then just set the links up to symlink
[2009/05/25 03:27:14] <francois> the desired behavior is that 'target' takes precedence over 'user'
[2009/05/25 03:27:19] @ HarryCalahan joined channel #puppet
[2009/05/25 03:34:50] <francois> webx: do you think that such doc could have cleared confusion when you started using this type ?
[2009/05/25 03:34:51] <francois> http://gist.github.com/117428
[2009/05/25 03:35:17] @ alfism joined channel #puppet
[2009/05/25 03:37:25] @ tim|macbook joined channel #puppet
[2009/05/25 03:37:47] <nasrat> francois: that looks better to me
[2009/05/25 03:38:02] @ pluesch0r joined channel #puppet
[2009/05/25 03:39:23] <pluesch0r> hi everybody. i'm on debian and would like to install a package file (ruby-enterprise) that's not included in the normal distro mirrors. how do i need to configure the package directive to make puppet install the package which is available on http://rubyforge.org/frs/download.php/57099/ruby-enterprise_1.8.6-20090520_amd64.deb? i tried "source", but that didn't work.
[2009/05/25 03:42:33] <ch> dpkg can only install local files, so you need to present a local file
[2009/05/25 03:43:22] <pluesch0r> so the way to go is to transfer the file from, say, the puppet master to the puppet, install it .. and then remove the temporary file?
[2009/05/25 03:43:31] <ch> and set provider => dpkg
[2009/05/25 03:43:36] @ Quit: bgupta: Read error: 104 (Connection reset by peer)
[2009/05/25 03:43:48] <nasrat> or setup a repo
[2009/05/25 03:43:51] <ch> pluesch0r: yeah you need to get the file to the client. or just put the file into a repo
[2009/05/25 03:43:57] <HarryCalahan> pluesch0r: or run your own repository
[2009/05/25 03:44:02] @ bgupta joined channel #puppet
[2009/05/25 03:44:13] <pluesch0r> i've been planning on setting up my own repo (again), but that's out of the scope right now.
[2009/05/25 03:44:16] <pluesch0r> thanks. :)
[2009/05/25 03:46:09] <ch> btw, you probably want to wget the file, if it's big.
[2009/05/25 03:46:47] <pluesch0r> yeah.
[2009/05/25 03:50:23] @ Quit: pugnacity: "Leaving."
[2009/05/25 03:50:23] @ Quit: bgupta: Read error: 104 (Connection reset by peer)
[2009/05/25 03:50:40] @ bgupta joined channel #puppet
[2009/05/25 03:51:19] @ werner_ joined channel #puppet
[2009/05/25 03:52:10] @ Quit: werner__: Read error: 110 (Connection timed out)
[2009/05/25 03:53:59] @ Quit: kolla: Remote closed the connection
[2009/05/25 03:54:15] @ pugnacity joined channel #puppet
[2009/05/25 03:54:52] @ nakano is now known as nakano_
[2009/05/25 03:55:03] @ nakano_ is now known as nakano
[2009/05/25 03:55:40] @ nakano is now known as nakano_
[2009/05/25 03:55:45] @ nakano_ is now known as nakano
[2009/05/25 04:03:30] <webx> francois: a little late, but yeah I think that doc would have helped with the confusion.
[2009/05/25 04:03:37] <webx> I was afk for a bit
[2009/05/25 04:04:02] <francois> ok, great
[2009/05/25 04:04:12] <nico> http://www.masterzen.fr/2009/05/24/puppet-and-jruby-a-love-story/
[2009/05/25 04:04:20] <nico> looks good :)
[2009/05/25 04:04:43] <francois> I've created bug #2300 to address this issue
[2009/05/25 04:04:43] <gepetto> francois: #2300 is http://projects.reductivelabs.com/issues/show/2300 "Puppet - Bug #2300: ssh_authorized_key documentation - ReductiveLabs.com"
[2009/05/25 04:09:54] @ pluesch0r left channel #puppet ()
[2009/05/25 04:11:45] @ Quit: eythian: Read error: 54 (Connection reset by peer)
[2009/05/25 04:11:50] @ eythian_ joined channel #puppet
[2009/05/25 04:14:25] @ PaulWay left channel #puppet ()
[2009/05/25 04:18:35] @ Quit: webx: "..(cyp): [BX] The Borg use BitchX. It will be assimilated. Shouldn't you?"
[2009/05/25 04:27:28] @ eythian_ is now known as eythian
[2009/05/25 04:28:07] @ zipkidiPhone joined channel #puppet
[2009/05/25 04:28:11] <eythian> I'm trying to set up mongrel, but I always get 'connection reset by peer' when attempting to connect to the master on localhost (and apache sees the same thing.) Why could this be?
[2009/05/25 04:29:03] <eythian> The master isn't logging anything about why it's doing that.
[2009/05/25 04:31:50] @ alban2 joined channel #puppet
[2009/05/25 04:36:28] @ verwilst joined channel #puppet
[2009/05/25 04:39:20] @ Quit: nicZar1: Remote closed the connection
[2009/05/25 04:40:10] @ niczar1 joined channel #puppet
[2009/05/25 04:40:48] <phantez> gepetto: seen lak
[2009/05/25 04:40:48] <gepetto> phantez: lak was last seen 11 hours, 41 minutes and 14 seconds ago, quitting IRC ()
[2009/05/25 04:48:02] <ohadlevy> is it possible to override with inheritance something which is part of a define?
[2009/05/25 04:50:32] <ohadlevy> for example, can i override the source in this example: http://pastie.org/pastes/488847
[2009/05/25 04:50:40] <eythian> OK, found my issue. The init script has a bug that wasn't setting --servertype
[2009/05/25 04:51:33] <Volcane> ohadlevy: you could override Afile{ x=> "foo" }
[2009/05/25 04:52:31] @ Quit: FengBlao:
[2009/05/25 04:55:39] <ohadlevy> Volacne: I want to override the source
[2009/05/25 04:55:52] <ohadlevy> this will allow me to override only part of the source
[2009/05/25 04:58:57] @ Quit: niczar1: Remote closed the connection
[2009/05/25 04:59:26] @ briandquinn joined channel #puppet
[2009/05/25 04:59:27] <verwilst> if i have a fact named "netmask_eth0.2"
[2009/05/25 04:59:31] <verwilst> i cannot use it
[2009/05/25 04:59:43] <verwilst> it chokes on the dot
[2009/05/25 04:59:47] <verwilst> any ideas?
[2009/05/25 04:59:52] <verwilst> \. doesnt help :)
[2009/05/25 05:00:04] <Volcane> did you try ${netmask_eth0.2}
[2009/05/25 05:00:19] <verwilst> trying now :)
[2009/05/25 05:00:21] <HarryCalahan> off topic: i forgot the name of a command line tool that displayed network traffic in bytes/sec per connection. (not iptraf).
[2009/05/25 05:00:37] <Volcane> iftop?
[2009/05/25 05:01:08] <Volcane> theres another, blue background screen etc, with menus and all, name escapes me now too
[2009/05/25 05:01:10] <HarryCalahan> Volcane: hit.
[2009/05/25 05:01:39] <HarryCalahan> and it was installed. i just forgot the name...
[2009/05/25 05:02:14] <verwilst> Volcane: <%= ${netmask_eth0.2} %> you mean ?
[2009/05/25 05:02:18] <HarryCalahan> Volcane: and iptraf has all those fancy menues.
[2009/05/25 05:02:18] <verwilst> that doesn't work :(
[2009/05/25 05:02:29] <Volcane> ah, you didnt say in a template :)
[2009/05/25 05:02:54] <Volcane> HarryCalahan: yeah, theres another older project though but yeah, iptraf works fine
[2009/05/25 05:03:02] <Volcane> err, iptop works fine
[2009/05/25 05:03:13] <HarryCalahan> Volcane: iptop was the one i was looking for. thanks
[2009/05/25 05:03:23] <Volcane> verwilst: not sure then
[2009/05/25 05:03:32] <verwilst> Volcane: me neither :D
[2009/05/25 05:05:01] * Volcane cries about www.kanarip.com still being down
[2009/05/25 05:05:02] <Volcane> *wants* his rubygem-passenger rpm
[2009/05/25 05:09:25] <nasrat> Volcane: google cache has the specfile
[2009/05/25 05:10:09] <Volcane> ah and so it does, great thanks
[2009/05/25 05:12:09] * Volcane wish people would stop with these horrific interactive install monstrosities
[2009/05/25 05:12:50] <verwilst> Volcane: Facter 1.5.5 changelog: Fixed #2081 - Fixed interfaces fact for vlan subinterfaces
[2009/05/25 05:12:51] <gepetto> verwilst: Volcane: #2081 is http://projects.reductivelabs.com/issues/show/2081 "Facter - Bug #2081: interfaces fact doesn't account for subinterfaces on vlan tagged interfaces - ReductiveLabs.com"
[2009/05/25 05:12:54] <verwilst> Volcane: ( FYI )
[2009/05/25 05:13:32] <HarryCalahan> Volcane: because otherwise there would be no need for expect ;)
[2009/05/25 05:13:46] <eythian> I now get 'May 25 21:11:35 puppet puppetmasterd[21484]: Permission denied: Cannot access mount[plugins]' ... how can I fix that?
[2009/05/25 05:14:30] <Volcane> nasrat: ah seems it doesnt have the patches though thats needed, bah, will wait
[2009/05/25 05:15:43] @ bgupta_ left channel #puppet ()
[2009/05/25 05:20:23] @ Quit: authentic: Read error: 110 (Connection timed out)
[2009/05/25 05:27:12] @ pluesch0r joined channel #puppet
[2009/05/25 05:28:06] <pluesch0r> hi everybody! say ... is there a way to tell puppet to use the gem binary located in /wherever/it/is instead of the one it finds in $PATH? or do i need to change $PATH for that (which i really don't like)?
[2009/05/25 05:31:06] @ Quit: yarihm: "Leaving"
[2009/05/25 05:37:15] @ Quit: zipkidiPhone: "bubyeeee!"
[2009/05/25 05:37:49] @ zipkidiPhone joined channel #puppet
[2009/05/25 05:37:50] @ Quit: zipkidiPhone: Remote closed the connection
[2009/05/25 05:39:57] @ SyTonnerre joined channel #puppet
[2009/05/25 05:40:00] <SyTonnerre> Salut, me again
[2009/05/25 05:40:10] <nasrat> Volcane: hmm found where it might live but still no joy http://git.puppetmanaged.org/?p=domain-kanarip.com;a=blob_plain;f=webserver/sites/www.kanarip.com.conf;hb=6f2b642b495cc1f0faf7472f36da5e77b79d0616
[2009/05/25 05:40:35] <Volcane> heh is ok, he's bound to be back here morrow after the holiday and fix his machine
[2009/05/25 05:40:48] <SyTonnerre> Is there a way to detect if a certain definition is applicable? I have the problem that one of my hosts claims that "Could not find a default provider for host"
[2009/05/25 05:40:55] * tim|macbook is interested in hearing how people who use puppet on EC2 handle the certificate-signing
[2009/05/25 05:40:56] <SyTonnerre> And I'd like to be able to say something like
[2009/05/25 05:41:21] <SyTonnerre> if (there is a default provider for host) { host { "…": … } }
[2009/05/25 05:41:53] <tim|macbook> or if they use puppet instead of puppetd
[2009/05/25 05:42:43] <tim|macbook> now that i think about it, that's a great case for using puppet instead of puppetd, i guess?
[2009/05/25 05:43:13] <nasrat> Volcane: or use whois to phone :)
[2009/05/25 05:43:19] <Volcane> lol
[2009/05/25 05:43:51] <nasrat> tim|imac: not started on ec2, but probably could abuse the ec2 userdata
[2009/05/25 05:46:31] * Volcane 's fiddled with EC2 a bit, but dont really have need for rapid scaling and their instances cost more than renting physical machines so not bothered
[2009/05/25 05:46:39] @ ohadlevy left channel #puppet ()
[2009/05/25 05:47:54] <tim|macbook> yeah, i was thinking about the userdata too
[2009/05/25 05:48:19] <nasrat> other option is to run puppet headless (just use puppet, not puppetmasterd/puppetd)
[2009/05/25 05:48:33] <nasrat> for bootstrapping that's pretty straightforward
[2009/05/25 05:49:01] <tim|macbook> yeah, that was what i was thinking when i was writing earlier... probably a good use case for that
[2009/05/25 05:49:23] <Volcane> someone here had cap tasks to create instances, log into them request keys, then log into the master sign them etc and then kick off the puppet run
[2009/05/25 05:50:13] <tim|macbook> yeah, but i want the developers to be able to start instances without us having to sign for each machine, while still having some control over the process... so i was thinking about presigning and using userdata to get the correct cert or something
[2009/05/25 05:50:25] <tim|macbook> but puppet is more interesting, now that i think about it
[2009/05/25 05:50:26] @ pluesch0r_ joined channel #puppet
[2009/05/25 05:50:51] <nasrat> http://edmund.haselwanter.com/en/blog/2008/09/06/bootstraping-ec2-with-puppet-iclassify-and-capistrano/
[2009/05/25 05:51:41] <Volcane> yeah thats it, except anyone starting to use iclassify with puppet would probably not be wise
[2009/05/25 05:51:54] <tim|macbook> yeah, i'm not a fan of iclassify, really
[2009/05/25 05:53:01] <nasrat> tim|macbook: ok so do you have a seperate group for your dev env?
[2009/05/25 05:53:22] <nasrat> ec2 group that is?
[2009/05/25 05:53:59] <tim|macbook> ofc
[2009/05/25 05:54:06] <tim|macbook> dev, test, qa, prod
[2009/05/25 05:54:16] <tim|macbook> but each developer will probably want their own dev instance
[2009/05/25 05:54:19] <tim|macbook> which is ok
[2009/05/25 05:54:37] <tim|macbook> we will probably maintain the image and do updates and the like on running machines with puppet
[2009/05/25 05:55:20] <tim|macbook> we're not yet sure on how to fit it into our business model
[2009/05/25 05:55:29] <tim|macbook> first customer that wants to switch to "the cloud"
[2009/05/25 05:57:46] <nasrat> ok, so do you have seperate dns per env eg dev.example.com?
[2009/05/25 05:59:25] <tim|macbook> it's not that large a site, so i think we'll be working with hosts files instead of proper dns
[2009/05/25 05:59:48] <nasrat> well you could autosign *.dev.example.com
[2009/05/25 06:00:00] <tim|macbook> ah
[2009/05/25 06:00:05] <nasrat> and auto append your mapping of instance to host
[2009/05/25 06:00:07] <tim|macbook> yeah, that's a good idea, indeed
[2009/05/25 06:00:24] * Volcane wouldnt autosign nything from IPs he cant predict
[2009/05/25 06:00:26] <nasrat> and make register/terminate dtrt with hosts
[2009/05/25 06:00:35] <tim|macbook> can you do that in puppetmaster? append a mapping when you autosign? or would that be some separate scripting?
[2009/05/25 06:00:38] <Volcane> so only if you used reserved ips would i do that
[2009/05/25 06:00:59] <tim|macbook> actually
[2009/05/25 06:01:10] <tim|macbook> simply using node *.dev.example.com would work
[2009/05/25 06:01:32] <Volcane> you cant do wildcards like that in node statements afaik?
[2009/05/25 06:01:58] <tim|macbook> no? hm... ok... then it would probably require some scripting then
[2009/05/25 06:02:04] <Volcane> create an environment with a default node, pop them all in that environment
[2009/05/25 06:02:14] <nasrat> Volcane: I guess it depends where you are using puppetmaster, you could have one running in a group in ec2 and only allow your host group to access it
[2009/05/25 06:02:22] <tim|macbook> ofc, default node... good idea
[2009/05/25 06:02:49] <nasrat> tim|macbook: if you get something up and running it'd be good to discuss on list (pit falls, issues, tips)
[2009/05/25 06:02:53] <nasrat> and maybe a blog post
[2009/05/25 06:02:56] <Volcane> nasrat: hmm, not looked at the groups stuff yet
[2009/05/25 06:03:07] @ Quit: pluesch0r: Read error: 113 (No route to host)
[2009/05/25 06:03:14] <tim|macbook> then again, i think the puppet-instead-of-puppetd solution would be easier to setup... using something like s3fs to mount the manifests ro...
[2009/05/25 06:04:15] <Volcane> nasrat: dont really see how its worth paying what they charge for such small VMs really
[2009/05/25 06:05:13] <nasrat> I'm aware it's not a solution for everyone :)
[2009/05/25 06:06:01] <Volcane> nods. worth it if u need to grow rapidly etc, first need to convince my devs to ditch their retarded home-brew "middle ware" that doesnt scale past 7 or so machines heh
[2009/05/25 06:06:05] <tim|macbook> Volcane: it's the easy scalability that makes it worth it for our customer
[2009/05/25 06:06:22] <Volcane> yeah
[2009/05/25 06:07:23] <nasrat> yeah for scalability like that you really need the application to work that way (no shared state, maybe svc discovery)
[2009/05/25 06:10:41] @ DasFx joined channel #puppet
[2009/05/25 06:11:26] <Volcane> and be happy to cope with fluctuating performance on a per instance level
[2009/05/25 06:13:12] <tim|macbook> yeah, there are drawbacks, but this customer especially needs to have some serieus parallel computing at certain times and they're happy to pay for a lot of instances running for several hours a week if that means the job gets down in 3 hours instead of 120
[2009/05/25 06:13:27] <Volcane> yeah thats kewl
[2009/05/25 06:13:33] <tim|macbook> exactly
[2009/05/25 06:13:40] <tim|macbook> i'm kinda exited to be working on it, really
[2009/05/25 06:13:49] <Volcane> yeah i wish i had clients who needed it too
[2009/05/25 06:13:49] <tim|macbook> i like the idea of ec2/s3/sqs/etc.
[2009/05/25 06:14:11] <tim|macbook> actually makes me a little sad that i'm not a developer :D
[2009/05/25 06:14:18] <tim|macbook> (not sad enough to become one full time, though)
[2009/05/25 06:14:31] @ Quit: blahdeblah: "Leaving."
[2009/05/25 06:14:41] <HarryCalahan> tim|macbook: stay between both worlds.
[2009/05/25 06:15:27] <tim|macbook> heh ;-)
[2009/05/25 06:16:28] @ Quit: fluxdude: Read error: 110 (Connection timed out)
[2009/05/25 06:16:52] <HarryCalahan> and you can always blame the other world...
[2009/05/25 06:17:02] @ pluesch0r_ is now known as pluesch0r
[2009/05/25 06:17:53] @ Quit: machpo: Read error: 110 (Connection timed out)
[2009/05/25 06:19:37] @ melopt joined channel #puppet
[2009/05/25 06:24:31] @ nasrat_ joined channel #puppet
[2009/05/25 06:32:21] @ Quit: nasrat: Read error: 110 (Connection timed out)
[2009/05/25 06:33:37] @ nasrat_ is now known as nasrat
[2009/05/25 06:35:49] @ Quit: melopt: "Leaving"
[2009/05/25 06:37:31] @ Quit: dsch04: "Leaving"
[2009/05/25 06:41:10] @ dsch04 joined channel #puppet
[2009/05/25 06:45:50] @ fujin joined channel #puppet
[2009/05/25 06:50:32] @ Quit: garin_: Read error: 110 (Connection timed out)
[2009/05/25 07:12:45] @ d3vilb0x joined channel #puppet
[2009/05/25 07:19:02] @ Quit: dsch04: Read error: 113 (No route to host)
[2009/05/25 07:21:43] @ dsch04 joined channel #puppet
[2009/05/25 07:24:37] @ madrescher joined channel #puppet
[2009/05/25 07:25:45] @ kolla joined channel #puppet
[2009/05/25 07:37:01] @ niczar1 joined channel #puppet
[2009/05/25 08:08:02] <HarryCalahan> c!
[2009/05/25 08:10:45] <SyTonnerre> http://reductivelabs.com/trac/puppet/wiki/Recipes/Nagios seems pretty inappropriate nowadays
[2009/05/25 08:14:25] @ ricky_ joined channel #puppet
[2009/05/25 08:14:45] @ Quit: ricky: Nick collision from services.
[2009/05/25 08:15:24] @ ricky_ is now known as ricky
[2009/05/25 08:25:41] @ macbar joined channel #puppet
[2009/05/25 08:30:35] @ webx joined channel #puppet
[2009/05/25 08:31:25] <webx> I get a line like the following on every puppet run, even though my ssh keys are not changing:
[2009/05/25 08:31:27] <webx> May 25 12:29:48 sw17152 puppetd[6733]: (//Node[sw17152.sv4.zynga.com]/248_root_sshkey/248_root_sshkey::Add_sshkey[bbartlett@zynga.com]/Ssh_authorized_key[bbartlett@zynga.com]/target) target changed '/root/.ssh/authorized_keys' to '/root/.ssh/authorized_keys'
[2009/05/25 08:31:51] <webx> 24.8
[2009/05/25 08:32:02] @ joe-mac joined channel #puppet
[2009/05/25 08:33:11] @ jack-_- joined channel #puppet
[2009/05/25 08:38:25] @ Quit: kolla: Remote closed the connection
[2009/05/25 08:45:23] @ Quit: ssm: "Leaving"
[2009/05/25 09:25:39] @ glaw joined channel #puppet
[2009/05/25 09:34:45] @ werner__ joined channel #puppet
[2009/05/25 09:36:50] @ Quit: werner_: Read error: 110 (Connection timed out)
[2009/05/25 09:39:13] <jenza> webx yes it's a known bug that should be fixed by now
[2009/05/25 09:39:27] <jenza> I think it's fixed in 2.5
[2009/05/25 09:40:29] <jenza> #2124
[2009/05/25 09:40:30] <gepetto> jenza: #2124 is http://projects.reductivelabs.com/issues/show/2124 "Puppet - Bug #2124: ssh_authorized_key always changes target if target is not defined - ReductiveLabs.com"
[2009/05/25 09:43:12] @ Quit: glaw: ""Remember, information is not knowledge, knowledge is not wisdom, wisdom is not truth, truth is not beauty, beauty is not love"
[2009/05/25 09:45:19] @ lak joined channel #puppet
[2009/05/25 09:45:38] <nasrat> #1896
[2009/05/25 09:45:38] <gepetto> nasrat: #1896 is http://projects.reductivelabs.com/issues/show/1896 "Facter - Feature #1896: Facts from a configuration file - ReductiveLabs.com"
[2009/05/25 09:46:48] @ Quit: tim|macbook:
[2009/05/25 09:48:18] <nasrat> are the files in facter/conf for packaging dead now?
[2009/05/25 09:49:39] <nasrat> hmm we seem to have a etc/facter.conf too!
[2009/05/25 09:50:46] @ Quit: webx: "My damn controlling terminal disappeared!"
[2009/05/25 09:53:22] <tmz> nasrat: I just recently synced the current Fedora/EPEL rpm spec file on the fedora branch at git://jet.mox.net/~tmz/facter (and hadn't gotten around to asking anyone to pull it. :)
[2009/05/25 09:53:48] <nasrat> tmz: ok cool can you file that please
[2009/05/25 09:59:53] <jamesturnbull> nasrat: you started on 1.6 then?
[2009/05/25 10:00:03] <nasrat> jamesturnbull: starting :)
[2009/05/25 10:00:08] <nasrat> not got very far
[2009/05/25 10:00:24] <jamesturnbull> nasrat: so you'll be finished tomorrow then?
[2009/05/25 10:00:44] <jamesturnbull> did you have a roadmap idea?
[2009/05/25 10:01:19] <mrrx> hello
[2009/05/25 10:02:08] <mrrx> i wonder... if puppet is updated, is there a way to tell puppet to restart running the catalog?
[2009/05/25 10:02:28] <jamesturnbull> mrrx: restart the client
[2009/05/25 10:02:50] <tmz> nasrat: done (#2301)
[2009/05/25 10:02:50] <gepetto> tmz: nasrat: #2301 is http://projects.reductivelabs.com/issues/show/2301 "Facter - Bug #2301: Sync redhat rpm spec file with latest from Fedora/EPEL - ReductiveLabs.com"
[2009/05/25 10:03:20] <nasrat> jamesturnbull: yeah I need to mail the list - probably tomorrow
[2009/05/25 10:03:29] <mrrx> jamesturnbull: plausible, thought there was a more elegant way on doing it
[2009/05/25 10:03:29] <nasrat> then can discuss more at call on wednesday
[2009/05/25 10:03:48] <jamesturnbull> mrrx: well you can just wait for 30 minutes
[2009/05/25 10:04:01] <jamesturnbull> mrrx: or whatever your interval is
[2009/05/25 10:04:02] <nasrat> sighup
[2009/05/25 10:04:09] <jamesturnbull> nasrat: or that :)
[2009/05/25 10:04:39] <mrrx> umm
[2009/05/25 10:04:42] <mrrx> good diea
[2009/05/25 10:04:43] <nasrat> i guess that doesn't work under passenger
[2009/05/25 10:04:46] <mrrx> a script that does it
[2009/05/25 10:05:14] <mrrx> *idea
[2009/05/25 10:06:12] <nasrat> one wonders if with the message queue you could configure rerun on a particular message topic
[2009/05/25 10:06:46] <nasrat> obviously we'd need to avoid hammering the server and for it to be optional
[2009/05/25 10:07:35] <mrrx> i think this kind of behaviour should be builtin puppet, if it detects it has updated itself, it should do a rerun
[2009/05/25 10:07:45] <jamesturnbull> mrrx: why?
[2009/05/25 10:08:08] <jamesturnbull> mrrx: the master detects new configuration - that gets run when the client next connects
[2009/05/25 10:09:50] <mrrx> it's not about new configuration, rather puppet being updated. The same thing happens in portage, if portage is emerged along with one or more other packages, portage emerges portage itself first, then reinitiate the whole process
[2009/05/25 10:10:04] <mrrx> (gentoo portage)
[2009/05/25 10:10:14] <nasrat> oh
[2009/05/25 10:10:32] <jamesturnbull> I am having a flashback - I would swear I have had this conversation
[2009/05/25 10:10:44] <mrrx> heh, it wasn't me :p
[2009/05/25 10:11:04] <flashn> deja vu
[2009/05/25 10:11:21] <flashn> it has happened, in a parallel universe >;)
[2009/05/25 10:13:09] <jamesturnbull> mrrx: well you could run puppetrun
[2009/05/25 10:14:00] <jamesturnbull> mrrx: for example if oyu had config in a svn repo you could have a hook trigger a puppetrun run
[2009/05/25 10:15:34] <mrrx> you suggest using tags?
[2009/05/25 10:17:27] <jamesturnbull> mrrx: from memory if you don't specify a tag all the config gets run but someone who has used puppetrun more recently than me might need to test/confirm that
[2009/05/25 10:17:39] <mrrx> this is not o problem at just. Just "convinience"
[2009/05/25 10:17:56] <mrrx> umm
[2009/05/25 10:18:02] <mrrx> that phrase doesn't sound right
[2009/05/25 10:18:52] <mrrx> "this is not a problem. I can rerun puppet as you suggested earlier. Just a matter of convinience"
[2009/05/25 10:19:23] <werner__> is it possible to push a configuration change from the puppetmaster to a puppet client (if there's no connection possible from the client to puppetmaster)
[2009/05/25 10:20:05] <mrrx> puppetrun does that i think, puppetd must be running on the client; of course
[2009/05/25 10:20:17] <werner__> puppetrun triggers a client to connect to the puppetmaster, that's not what we want
[2009/05/25 10:20:54] <werner__> in our case the puppetmaster can connect to the client but the client cannot connect to the puppetmaster
[2009/05/25 10:25:58] @ nakano is now known as nakano_
[2009/05/25 10:29:31] @ martha joined channel #puppet
[2009/05/25 10:38:40] <werner__> it seems to be feature #2045
[2009/05/25 10:38:40] <gepetto> werner__: #2045 is http://projects.reductivelabs.com/issues/show/2045 "Puppet - Feature #2045: 'Push' functionality in puppetmaster to clients - ReductiveLabs.com"
[2009/05/25 10:39:01] <werner__> yes i found it with google
[2009/05/25 10:39:18] @ kelseyhightower joined channel #puppet
[2009/05/25 10:40:05] <werner__> status= accepted
[2009/05/25 10:40:20] <werner__> does this mean it will be available in a future version?
[2009/05/25 10:40:57] <gebi> is it recommeded to run puppetd in one-shot mode from cron?
[2009/05/25 10:41:07] @ Quit: lak:
[2009/05/25 10:43:17] <werner__> available in 3.0.0? 8 months? can anyone confirm this?
[2009/05/25 10:44:13] <ch> werner__: the bug says target version = unplanned
[2009/05/25 10:45:24] <f3ew> werner__ have you read the push vs pull part of Steve Traugott's paper?
[2009/05/25 10:48:49] <nasrat> f3ew: link?
[2009/05/25 10:49:17] <nasrat> bootstrapping an infra paper?
[2009/05/25 10:49:25] <f3ew> http://www.infrastructures.org/bootstrap/pushpull.shtml
[2009/05/25 10:49:26] <f3ew> yes
[2009/05/25 10:50:02] * f3ew prefers to think of it as yet another instance of DRY
[2009/05/25 10:50:14] <werner__> f3ew: no
[2009/05/25 10:50:18] @ Quit: mvn071: "Leaving"
[2009/05/25 10:50:24] <werner__> f3ew: where can i find that paper
[2009/05/25 10:50:47] <f3ew> http://www.infrastructures.org/bootstrap/papers.shtml
[2009/05/25 10:51:03] <f3ew> the relevant bit is the first link
[2009/05/25 10:51:12] <f3ew> The whole paper is available at the second
[2009/05/25 10:51:21] @ hessml joined channel #puppet
[2009/05/25 10:52:18] <nasrat> f3ew: sure but you could potentially have a publish/subscribe type setup as extra information on when the client should act (but not assume it's there)
[2009/05/25 10:52:36] <nasrat> put that's not really push
[2009/05/25 10:52:45] <f3ew> nasrat, puppetrun + a messagebus
[2009/05/25 10:52:52] <nasrat> f3ew: pretty much
[2009/05/25 10:53:01] <f3ew> that's not what werner__ is asking for
[2009/05/25 10:53:06] <nasrat> yeah I know
[2009/05/25 10:53:18] <nasrat> the problem here seems to be firewalling
[2009/05/25 10:53:25] <f3ew> Yup
[2009/05/25 10:53:34] <SyTonnerre> .oO(Stupid NAT)
[2009/05/25 10:53:45] <f3ew> IPv6!
[2009/05/25 10:53:57] <SyTonnerre> Yes, but not everywhere yet
[2009/05/25 10:54:06] <SyTonnerre> Everywhere in our network though ;)
[2009/05/25 10:54:22] <f3ew> hehe
[2009/05/25 10:54:26] @ roald joined channel #puppet
[2009/05/25 10:54:53] @ shake-n-bake joined channel #puppet
[2009/05/25 10:55:06] <nasrat> the problem with push is also scaling it sanely depending on your refresh window
[2009/05/25 10:55:39] <f3ew> that too
[2009/05/25 10:55:40] @ Quit: madrescher: "Leaving."
[2009/05/25 10:55:50] <f3ew> The fundamental problem with push is DRY
[2009/05/25 10:56:08] <f3ew> violating DRY causes side effects
[2009/05/25 10:56:34] <nasrat> yup
[2009/05/25 10:57:00] <nasrat> werner__: so the problem is you have a communication gap between the clients and the server?
[2009/05/25 10:57:15] <werner__> nasrat: yes
[2009/05/25 10:57:15] <nasrat> is that not infrastructure in your control
[2009/05/25 10:57:35] <werner__> well, because of security
[2009/05/25 10:58:09] <nasrat> what is the risk you are trying to mitigate by not allowing the clients to pull their configuration
[2009/05/25 10:58:17] <werner__> what do you mean with violating dry causes side effects?
[2009/05/25 10:58:38] <nasrat> DRY = don't repeat yourself
[2009/05/25 10:59:38] <HarryCalahan> writing something in two places (repeating it) normaly gets f***ed up later when it needs changes because one place is always forgotten
[2009/05/25 11:00:27] <werner__> because we don't want the clients to have a connection to the server, you cannot allow a route based on a port
[2009/05/25 11:00:27] @ hessmll joined channel #puppet
[2009/05/25 11:00:31] <f3ew> HarryCalahan, DBAs call it normalisation
[2009/05/25 11:00:40] * f3ew blinks
[2009/05/25 11:00:57] <nasrat> but you can have port based firewalling
[2009/05/25 11:01:16] * HarryCalahan looks at one of the databases... 400Tables three foreign keys. *nah* wont start to think about normalisation
[2009/05/25 11:01:25] <nasrat> if you don't trust your clients, how can you trust them to do the right thing about configuring themselves
[2009/05/25 11:01:30] * f3ew denormalises HarryCalahan
[2009/05/25 11:01:41] @ HarryCalahan is now known as hARRYcALAHAN
[2009/05/25 11:01:45] * f3ew is actually recommending denormalising some data
[2009/05/25 11:02:11] @ Quit: shake-n-bake:
[2009/05/25 11:02:52] <hARRYcALAHAN> werner__: what are you trying to achieve? That the master connects to the client and then the client reads files over this connection?
[2009/05/25 11:02:54] <nasrat> werner__: for puppet the communication is ssl, so the server knows it's a authorized client
[2009/05/25 11:03:01] @ hARRYcALAHAN is now known as HarryCalahan
[2009/05/25 11:03:22] <werner__> harrycalahan: yes
[2009/05/25 11:03:30] <nico> people managing NFS mounts from puppet around ?
[2009/05/25 11:03:37] <HarryCalahan> werner__: what is the benefit over the over way around
[2009/05/25 11:03:39] <HarryCalahan> nico: me
[2009/05/25 11:03:48] @ jo joined channel #puppet
[2009/05/25 11:03:53] <HarryCalahan> nico: mounts on the client system not the nfs server
[2009/05/25 11:04:01] <nico> HarryCalahan: how do you check the mount status ?
[2009/05/25 11:04:04] <nico> /etc/mtab ?
[2009/05/25 11:04:18] <HarryCalahan> nico: puppet does it for me
[2009/05/25 11:04:41] <nico> the File type ?
[2009/05/25 11:04:50] <HarryCalahan> nico: the mount type
[2009/05/25 11:04:59] <nico> huh
[2009/05/25 11:05:06] <nico> woot \o/
[2009/05/25 11:05:37] <HarryCalahan> nico: http://pastie.org/489054
[2009/05/25 11:06:06] @ Bass10 joined channel #puppet
[2009/05/25 11:06:08] <jo> (i'm with Werner, let me try to explain :-) )
[2009/05/25 11:06:20] <jo> point is, we have some "extreme" security measures at our corp
[2009/05/25 11:06:28] <nico> HarryCalahan: thx, nice
[2009/05/25 11:06:45] <jo> it's an academic situation, so "trust" is difficult
[2009/05/25 11:06:45] @ andrewcshafer joined channel #puppet
[2009/05/25 11:07:05] <jo> (experimentation is encouraged in an academic facility)
[2009/05/25 11:07:07] <jo> anyway
[2009/05/25 11:07:22] @ Quit: pleemans: Read error: 113 (No route to host)
[2009/05/25 11:07:29] <jo> we (system management) have a central "configuration" server, which contains all configuration of the machines we manage
[2009/05/25 11:07:50] <jo> that does not include "applications" (ie. toledo, tomcat, oracle, etc.)
[2009/05/25 11:08:10] <jo> so we can not trust the machines, but we want to enforce our configuration on them
[2009/05/25 11:08:28] @ Quit: nasrat:
[2009/05/25 11:08:40] <jo> if for any reason this does not succeed (eg. the host was compromised), we reinstall vanilla, push configuration
[2009/05/25 11:08:52] <jo> and "problem solved"
[2009/05/25 11:09:03] <jo> (of course, to utopic, but you get the point)
[2009/05/25 11:09:29] <jo> we have to maximize security of our central configuration server, therefore as little machines as possible can access it
[2009/05/25 11:09:49] <jo> there are no routes defined, the routers don't forward connection tries, etc.
[2009/05/25 11:10:00] <jo> configuration machine cán contact all our machines
[2009/05/25 11:10:01] <jo> so
[2009/05/25 11:10:04] <jo> one way would be:
[2009/05/25 11:10:26] <jo> ssh from configuration machine to host, and open an ssh tunnel, then route traffic over that tunnel
[2009/05/25 11:10:35] <jo> this works, but presents some extra trouble with certificates
[2009/05/25 11:10:41] <jo> but we got that working anyway
[2009/05/25 11:11:12] <jo> a much nicer way would be to make puppet automatically perform this "routing" if you run "puppetrun"
[2009/05/25 11:11:41] <jo> puppetrun makes a connection to the puppetd on the host, and this is where the host *could* start pulling what it needs over that connection
[2009/05/25 11:12:06] <jo> (instead, puppetrun asks the host to make a new connection to it's puppetmaster, which does not work)
[2009/05/25 11:13:31] <HarryCalahan> jo: wrapping puppetrun in a small shell script. this connects via ssh to the client, sets the tunnel and kicks puppetd. once done terminate ssh connection.
[2009/05/25 11:13:55] <jo> like I said, certificates present problems
[2009/05/25 11:13:57] <HarryCalahan> jo: but still don't get the security benefit.
[2009/05/25 11:14:14] <HarryCalahan> client -> master: check that client ip is allowed to connect. Make SSL handshake. check client presents a known and trusted SSL cert.
[2009/05/25 11:14:18] <jo> certificate signed by "puppetmaster.domain", but puppetd connects to "localhost"
[2009/05/25 11:14:39] <jo> ah, but the problem is not per se the puppet connection
[2009/05/25 11:14:56] <jo> the problem could be any other problems (like ssh)
[2009/05/25 11:15:36] @ Pior joined channel #puppet
[2009/05/25 11:15:38] <Pior> hello
[2009/05/25 11:15:42] <jo> solution for this certificate problem is to add "127.0.0.1 puppetmaster.domain" to /etc/hosts, and then make puppetd connect to puppetmaster.domain
[2009/05/25 11:15:45] <jo> this works
[2009/05/25 11:15:47] <jo> but is nasty
[2009/05/25 11:15:49] <HarryCalahan> jo: i don't get it. Do you want to protect your puppetmaster, so that a compromised client can't start to attack it?
[2009/05/25 11:15:54] <jo> voila
[2009/05/25 11:16:01] <jo> puppetmaster is not only puppetmaster
[2009/05/25 11:16:07] <jo> it does more than that
[2009/05/25 11:16:21] <HarryCalahan> jo: add a firewall to the master. add connection rate limits.
[2009/05/25 11:16:47] <jo> okay, this discussion is going nowhere :-)
[2009/05/25 11:16:48] <HarryCalahan> allow incoming connections with a rate limit to the puppetport from known puppet clients.
[2009/05/25 11:16:58] <HarryCalahan> jo: looks like it ;)
[2009/05/25 11:16:58] <Pior> I would like to be able to define different web application and their php module dependency
[2009/05/25 11:17:28] <Pior> but obviously it doesn't work because Package can't be defined multiple times
[2009/05/25 11:17:40] <Pior> is there a way to achieve that anyway ?
[2009/05/25 11:18:03] <jo> HarryCalahan: there are plenty ways to protect systems, including firewalls, but the choice here includes denying any access from most machines to our "central server"
[2009/05/25 11:18:31] <jo> we have to live with that, and change other plans to work with it ..
[2009/05/25 11:18:44] <jo> so no point in discussing why we shouldn't do it, it's not my call
[2009/05/25 11:18:46] <HarryCalahan> jo: *hm*. But as soon as you run a connection (initiated from the master to the client), the client could attack you over this connection
[2009/05/25 11:18:56] <jo> that's correct
[2009/05/25 11:19:02] <jo> therefore: limit connections ;-)
[2009/05/25 11:19:11] <jo> an attack could happen then during a few minutes
[2009/05/25 11:19:15] <jo> not 24/7
[2009/05/25 11:19:18] <HarryCalahan> jo: if i compromised the client i can exchange the puppetd there and then....
[2009/05/25 11:19:31] <jo> and the attacks for that are much more limited
[2009/05/25 11:19:49] <jo> and then try to crash the puppetmaster
[2009/05/25 11:19:58] <jo> (well, overflow it, probably)
[2009/05/25 11:20:06] @ andrewcshafer_ joined channel #puppet
[2009/05/25 11:20:16] <jo> yet, I'm looking in this "state" file; maybe a simple scp would work :-)
[2009/05/25 11:20:48] <HarryCalahan> jo: would dynamic firewall rules on the puppetmaster be possible. If you know when you want to run puppet, open up the firewall, puppetrun, close firewall
[2009/05/25 11:21:16] <jo> this would involve reconfiguring multiple routers ...
[2009/05/25 11:21:29] <HarryCalahan> jo: multiple. oh my...
[2009/05/25 11:21:52] <jo> :p
[2009/05/25 11:23:01] <HarryCalahan> for me rate limiting was always enough. As soon as a client starts to act wierd and makes a lot of connections to me. blackhole him for n-hours and write an email
[2009/05/25 11:23:18] @ Quit: hessml: "Leaving..."
[2009/05/25 11:25:42] @ Quit: verwilst: "Ex-Chat"
[2009/05/25 11:27:35] @ lak joined channel #puppet
[2009/05/25 11:27:43] @ hessml joined channel #puppet
[2009/05/25 11:29:39] @ Quit: HarryCalahan: "."
[2009/05/25 11:32:19] @ Quit: briandquinn:
[2009/05/25 11:35:36] @ Quit: andrewcshafer: Read error: 113 (No route to host)
[2009/05/25 11:35:50] @ MarlondB is now known as help
[2009/05/25 11:36:29] @ help is now known as Guest10570
[2009/05/25 11:36:55] @ andrewcshafer joined channel #puppet
[2009/05/25 11:38:28] @ Quit: omry|work: Read error: 104 (Connection reset by peer)
[2009/05/25 11:44:37] @ briandquinn joined channel #puppet
[2009/05/25 11:45:37] @ Quit: pluesch0r: "shboom."
[2009/05/25 11:52:17] @ Quit: andrewcshafer_: Read error: 113 (No route to host)
[2009/05/25 11:58:31] @ Quit: Guest10570:
[2009/05/25 12:00:45] @ Quit: Innocenti: Client Quit
[2009/05/25 12:01:02] @ Quit: alban2: Read error: 110 (Connection timed out)
[2009/05/25 12:17:49] @ nakano_ is now known as nakano
[2009/05/25 12:20:22] @ devicenull joined channel #puppet
[2009/05/25 12:23:18] <joe-mac> is this something to worry about?
[2009/05/25 12:23:19] <joe-mac> Cannot manage ownership unless running as root
[2009/05/25 12:23:29] <joe-mac> puppetmasterd is saying that ona bunch of cetrtificate files
[2009/05/25 12:27:24] @ pleemans joined channel #puppet
[2009/05/25 12:41:21] @ shake-n-bake joined channel #puppet
[2009/05/25 12:43:17] @ jmarki joined channel #puppet
[2009/05/25 12:50:10] @ Quit: hessml: "Leaving..."
[2009/05/25 12:51:30] @ authentic joined channel #puppet
[2009/05/25 12:53:50] @ Quit: lak:
[2009/05/25 13:03:21] @ Quit: briandquinn:
[2009/05/25 13:06:02] @ mfoster joined channel #puppet
[2009/05/25 13:14:55] @ lak joined channel #puppet
[2009/05/25 13:20:29] @ Quit: jmarki: "Leaving"
[2009/05/25 13:24:08] @ plathrop-away is now known as plathrop
[2009/05/25 13:26:48] @ Quit: fujin:
[2009/05/25 13:37:58] @ plathrop is now known as plathrop-away
[2009/05/25 13:39:58] @ plathrop-away is now known as plathrop
[2009/05/25 13:43:01] @ alban2 joined channel #puppet
[2009/05/25 13:49:27] @ Quit: lak:
[2009/05/25 13:55:26] @ lak joined channel #puppet
[2009/05/25 13:59:58] @ MarlondB joined channel #puppet
[2009/05/25 14:03:15] @ Quit: tsb: "No Ping reply in 30 seconds."
[2009/05/25 14:04:08] @ Quit: shake-n-bake:
[2009/05/25 14:05:06] @ tsb joined channel #puppet
[2009/05/25 14:07:50] @ cwebber joined channel #puppet
[2009/05/25 14:21:17] @ chip__ joined channel #puppet
[2009/05/25 14:25:52] @ yarihm joined channel #puppet
[2009/05/25 14:27:47] @ omry|work joined channel #puppet
[2009/05/25 14:30:38] @ nasrat joined channel #puppet
[2009/05/25 14:30:48] @ Quit: nasrat: Client Quit
[2009/05/25 14:31:38] @ plathrop is now known as plathrop-away
[2009/05/25 14:36:18] @ Quit: atlan_: Read error: 110 (Connection timed out)
[2009/05/25 15:07:16] @ Quit: cwebber:
[2009/05/25 15:12:03] @ Quit: lak:
[2009/05/25 15:26:44] @ Quit: aymerick: "kit mais sage"
[2009/05/25 15:30:00] @ verwilst joined channel #puppet
[2009/05/25 15:33:13] @ Quit: wilturn: Read error: 104 (Connection reset by peer)
[2009/05/25 15:49:41] @ wilturn joined channel #puppet
[2009/05/25 15:52:19] @ Quit: andrewcshafer:
[2009/05/25 15:55:40] @ Quit: verwilst: "Ex-Chat"
[2009/05/25 16:03:15] @ madrescher joined channel #puppet
[2009/05/25 16:04:12] @ fbe joined channel #puppet
[2009/05/25 16:04:41] @ Quit: d3vilb0x:
[2009/05/25 16:08:24] @ hessml joined channel #puppet
[2009/05/25 16:12:06] * monachus is in limbo.
[2009/05/25 16:18:55] @ mvn071 joined channel #puppet
[2009/05/25 16:20:34] @ nasrat joined channel #puppet
[2009/05/25 16:20:34] @ lak joined channel #puppet
[2009/05/25 16:21:25] @ Quit: hessml: "Leaving..."
[2009/05/25 16:26:53] @ cwebber joined channel #puppet
[2009/05/25 16:31:26] <lak> joe-mac: no, it's not something to worry about
[2009/05/25 16:31:35] <joe-mac> alright cool, thanks laki
[2009/05/25 16:31:36] <lak> (response to question from this morning)
[2009/05/25 16:33:41] @ Quit: nasrat:
[2009/05/25 16:35:33] @ Quit: MarlondB:
[2009/05/25 16:40:35] <joe-mac> yea, i figured, channels' been pretty quiet
[2009/05/25 16:45:59] @ webx joined channel #puppet
[2009/05/25 16:48:44] @ Quit: pleemans: Read error: 110 (Connection timed out)
[2009/05/25 16:48:44] @ Quit: madrescher: Read error: 104 (Connection reset by peer)
[2009/05/25 16:49:12] @ madrescher joined channel #puppet
[2009/05/25 16:50:33] @ jmeeuwen joined channel #puppet
[2009/05/25 16:57:36] @ Quit: mfoster: "Leaving."
[2009/05/25 17:00:01] @ Quit: lludwig: "Leaving."
[2009/05/25 17:00:11] @ lludwig joined channel #puppet
[2009/05/25 17:03:57] @ nasrat joined channel #puppet
[2009/05/25 17:04:03] @ Quit: nasrat: Remote closed the connection
[2009/05/25 17:30:20] <joe-mac> hey lak, if i am running something with shell variables in it, do i need to escape the $ or something
[2009/05/25 17:33:38] @ andrewcshafer joined channel #puppet
[2009/05/25 17:40:35] @ Quit: mvn071: "Leaving"
[2009/05/25 17:47:54] <lak> joe-mac: yeah, or use single quotes
[2009/05/25 17:48:14] @ Quit: cwebber:
[2009/05/25 17:49:29] <joe-mac> k, thanks
[2009/05/25 17:56:22] @ andrewcshafer_ joined channel #puppet
[2009/05/25 18:03:36] @ lludwig left channel #puppet ()
[2009/05/25 18:11:02] @ Quit: andrewcshafer: Read error: 113 (No route to host)
[2009/05/25 18:13:30] @ Quit: lak:
[2009/05/25 18:17:52] @ mfournie1 joined channel #puppet
[2009/05/25 18:20:16] @ kolla joined channel #puppet
[2009/05/25 18:29:33] @ Quit: mfournier: Read error: 113 (No route to host)
[2009/05/25 18:30:48] @ fujin joined channel #puppet
[2009/05/25 18:33:39] <joe-mac> what is with state got corrupted errors? is that known in .24.8?
[2009/05/25 18:43:26] @ lak joined channel #puppet
[2009/05/25 18:45:50] @ nakano is now known as nakano_
[2009/05/25 18:46:46] @ Quit: mfournie1: Read error: 113 (No route to host)
[2009/05/25 18:47:32] @ cwebber joined channel #puppet
[2009/05/25 18:50:39] @ Quit: andrewcshafer_: Read error: 113 (No route to host)
[2009/05/25 18:51:53] @ Quit: lak:
[2009/05/25 18:51:55] @ andrewcshafer joined channel #puppet
[2009/05/25 18:54:25] @ d3vilb0x joined channel #puppet
[2009/05/25 18:56:55] @ Quit: cwebber:
[2009/05/25 18:59:42] @ Quit: agaffney: "Reconnecting"
[2009/05/25 18:59:46] @ agaffney joined channel #puppet
[2009/05/25 19:10:03] @ Quit: madrescher: "Leaving."
[2009/05/25 19:11:08] @ Quit: martha: "Leaving."
[2009/05/25 19:32:48] @ Quit: Pior: Read error: 110 (Connection timed out)
[2009/05/25 19:50:13] @ Quit: kelseyhightower:
[2009/05/25 19:57:29] <agaffney> meh
[2009/05/25 19:57:37] <agaffney> silly puppet
[2009/05/25 19:57:55] <agaffney> I'm trying to get puppet to remove ppp and anything depending on it on centos
[2009/05/25 19:58:22] <agaffney> but instead of doing 'yum erase ppp', it's checking the package with rpm and seeing that other stuff depends on it
[2009/05/25 19:59:36] @ cwebber joined channel #puppet
[2009/05/25 20:01:54] @ Quit: Bass10: Read error: 110 (Connection timed out)
[2009/05/25 20:10:03] @ Quit: hessmll: "Leaving..."
[2009/05/25 20:12:25] @ Quit: andrewcshafer:
[2009/05/25 20:20:35] @ lak joined channel #puppet
[2009/05/25 20:22:44] @ Djelibeybi joined channel #puppet
[2009/05/25 20:27:02] @ Quit: cwebber:
[2009/05/25 20:27:39] @ mfoster joined channel #puppet
[2009/05/25 20:27:41] @ Quit: mfoster: Read error: 104 (Connection reset by peer)
[2009/05/25 20:27:59] @ mfoster joined channel #puppet
[2009/05/25 20:33:57] <joe-mac> agaffney: what is your ensure value?
[2009/05/25 20:34:10] <joe-mac> you could try also forcing the provider
[2009/05/25 20:34:22] <joe-mac> anybody here ever set up their own apt repo?
[2009/05/25 20:34:23] @ cwebber joined channel #puppet
[2009/05/25 20:35:23] @ Quit: lak:
[2009/05/25 20:35:45] <agaffney> joe-mac: I found another way around it
[2009/05/25 20:35:53] <joe-mac> nice, what was it?
[2009/05/25 20:36:09] <agaffney> exec { "yum erase -y <package>": onlyif => "rpm -ql <package>" }
[2009/05/25 20:36:37] <agaffney> 'rpm -ql' returns 1 if the package doesn't exist
[2009/05/25 20:37:09] <agaffney> even with the yum provider, puppet uses 'rpm -e' to erase packages
[2009/05/25 20:37:19] <agaffney> which won't do the stuff that depends on it
[2009/05/25 20:37:48] <joe-mac> really? that seems like a bug...
[2009/05/25 20:37:59] <joe-mac> i was thinking the ensure => value might have something to dow ith that
[2009/05/25 20:38:27] <agaffney> I was using 'ensure => "absent"'
[2009/05/25 20:38:48] <joe-mac> did you try ensure => "purged"?
[2009/05/25 20:38:52] <agaffney> yes, didn't help
[2009/05/25 20:38:54] <joe-mac> wondering if that makes a different
[2009/05/25 20:38:57] <joe-mac> ah, weird
[2009/05/25 20:39:04] <agaffney> and it gave a bunch of extra output
[2009/05/25 20:39:08] <agaffney> for packages that were already removed
[2009/05/25 20:39:17] <agaffney> acting like it was doing something
[2009/05/25 20:39:20] <agaffney> on every run
[2009/05/25 20:39:34] <agaffney> notice: //Node[puppet.broadstripe.com]/default_node/centos/Centos::Remove_package[bluez-hcidump]/Package[bluez-hcidump]/ensure: created
[2009/05/25 20:40:08] <agaffney> that was with 'ensure => "purged"' and the package was already uninstalled
[2009/05/25 20:41:49] @ Quit: cwebber:
[2009/05/25 20:54:00] @ garin_ joined channel #puppet
[2009/05/25 21:00:53] @ PaulWay joined channel #puppet
[2009/05/25 21:01:11] @ fbe_ joined channel #puppet
[2009/05/25 21:01:36] <webx> if I'm upgrading the puppet server from 24.6 to 24.7, are all of the manifests backwards compatible?
[2009/05/25 21:01:44] <webx> or even from 24.6 to 24.8
[2009/05/25 21:04:44] @ Quit: fbe: Read error: 104 (Connection reset by peer)
[2009/05/25 21:11:32] @ Quit: bgupta:
[2009/05/25 21:11:41] @ bgupta joined channel #puppet
[2009/05/25 21:11:42] <tessier> I am trying to copy some files to my systems as part of a module. In my init.pp I have source => "puppet:///sudo/sudoers", but it appears to be looking for a server named "puppet" in dns. But the puppet:/// is specifying the protocol puppet not the server right? Where am I supposed to be telling it what server to get these files from?
[2009/05/25 21:13:30] <Djelibeybi> tessier: puppet://fq.dn/sudo/sudoers would work
[2009/05/25 21:13:53] <Djelibeybi> tessier: otherwise, if this is a EL box, /etc/sysconfig/puppet can be used to override the default of "puppet" for the hostname of the puppet master
[2009/05/25 21:14:09] <tessier> Ah. And it is EL
[2009/05/25 21:14:13] <Djelibeybi> I suspect other distro's startup scripts would allow some way of providing the --server parameter to puppetd
[2009/05/25 21:15:02] <Djelibeybi> tessier: in which case, check out /etc/sysconfig/puppet
[2009/05/25 21:18:34] <tmz> tessier: it's also worth noting that using puppet:/// is a shortcut for saying puppet://$puppetmaster/. I thought this was mentioning in the TypeReference, but I can't find it there. it is mentioning at http://reductivelabs.com/trac/puppet/wiki/AdvancedPuppetRecipe
[2009/05/25 21:21:26] * joe-mac punches apt in the head
[2009/05/25 21:22:31] <webx> tessier: as Djelibeybi suggests, use /etc/sysconfig/puppet to define the puppet server and then you can use puppet:/// as you were. I use the same syntax on my CentOS farm, but I needed to set the puppet server first in sysconfig.
[2009/05/25 21:23:16] <webx> mine's just one line: PUPPET_SERVER=f.q.d.n of the puppet server
[2009/05/25 21:25:15] <webx> transport?
[2009/05/25 21:25:27] <webx> hmm, anyone know the link for transport docs?
[2009/05/25 21:26:27] <webx> http://reductivelabs.com/trac/puppet/wiki/UsingPassenger
[2009/05/25 21:26:28] <webx> nm :)
[2009/05/25 21:30:16] @ kelseyhightower joined channel #puppet
[2009/05/25 21:35:03] @ yarihm_ joined channel #puppet
[2009/05/25 21:36:17] @ Quit: nevyn__: Read error: 110 (Connection timed out)
[2009/05/25 21:37:23] @ nevyn joined channel #puppet
[2009/05/25 21:41:09] @ JibbaD joined channel #puppet
[2009/05/25 21:41:34] @ Quit: yarihm: Read error: 104 (Connection reset by peer)
[2009/05/25 21:49:59] @ Quit: nevyn: Read error: 60 (Operation timed out)
[2009/05/25 21:52:24] @ Quit: JibbaD_: Read error: 110 (Connection timed out)
[2009/05/25 21:53:35] @ nevyn joined channel #puppet
[2009/05/25 21:55:25] @ WALoeIII joined channel #puppet
[2009/05/25 21:55:57] <agaffney> does puppet "need" redhat-lsb on RHEL/Centos?
[2009/05/25 21:56:15] <agaffney> I remember reading somewhere that it did, but the EPEL RPM doesn't seem to require it
[2009/05/25 21:56:41] @ Quit: phips: Read error: 60 (Operation timed out)
[2009/05/25 21:58:26] <Djelibeybi> agaffney: puppet doesn't, but Facter will use it
[2009/05/25 21:58:36] <Djelibeybi> agaffney: otherwise, you don't get the lsbdist* facts
[2009/05/25 21:58:46] <agaffney> hmm, is that it?
[2009/05/25 21:58:56] <tmz> that's all I'm aware of too.
[2009/05/25 21:59:15] @ Quit: edwardam: "So much for a vacation...."
[2009/05/25 21:59:16] @ londo__ joined channel #puppet
[2009/05/25 21:59:28] @ Quit: londo: Read error: 113 (No route to host)
[2009/05/25 21:59:41] <agaffney> hmm, none of those values look useful to me
[2009/05/25 22:00:03] <agaffney> the ones that do I've already got with operatingsystem and operatingsystemrelease
[2009/05/25 22:00:07] <tmz> I know several folks on rhel/centos that strip redhat-lsb religiously and have not reported any issues with puppet.
[2009/05/25 22:00:38] <agaffney> I'm adding a bunch of packages to forcibly remove for my CentOS boxes
[2009/05/25 22:00:46] <agaffney> redhat-lsb is getting in the way of a lot of them
[2009/05/25 22:00:55] <tmz> agaffney: one oddity with operatingsystemrelease is that it differs between rhel and centos currently (one reports only the major number, the other reports the point release as well)
[2009/05/25 22:00:55] <agaffney> now I won't let it :P
[2009/05/25 22:01:18] <agaffney> tmz: I've noticed that
[2009/05/25 22:01:31] <agaffney> but I don't think that's an issue for me
[2009/05/25 22:02:06] <tmz> yeah, it's easy enough to deal with, once you know about it.
[2009/05/25 22:05:07] <PaulWay> why strip redhat-lsb?
[2009/05/25 22:05:35] <agaffney> because it's not necessary
[2009/05/25 22:06:26] <PaulWay> *shrugs* OK.
[2009/05/25 22:06:40] <PaulWay> Do you replace bash with bourne shell?
[2009/05/25 22:07:01] <tmz> it pulls in cups, for one. having that on a server bothers some people. :)
[2009/05/25 22:07:15] <PaulWay> Fair enough :-)
[2009/05/25 22:07:24] <agaffney> yep, that's one thing it was blocking me killing
[2009/05/25 22:07:27] <agaffney> no need for cups :P
[2009/05/25 22:09:26] @ atlan_ joined channel #puppet
[2009/05/25 22:11:08] <PaulWay> Amazing how much depends on cups...
[2009/05/25 22:11:57] @ Quit: chip__: Read error: 60 (Operation timed out)
[2009/05/25 22:31:07] @ mechcow joined channel #puppet
[2009/05/25 22:31:29] <mechcow> is it possible to have an array of nodes and pass that array to a template ?
[2009/05/25 22:31:40] <mechcow> I would like to auto-generate an XML file based on some of the values within the nodes
[2009/05/25 22:36:54] @ comprehensive joined channel #puppet
[2009/05/25 22:37:44] <dixond> how do people here manage their per-node manifests?
[2009/05/25 22:38:19] <dixond> I'd like to be able to group 'types' of servers or 'functions' of certain nodes, but I can only inherit from one base node class at a time?
[2009/05/25 22:38:25] <agaffney> common resources in general classes/modules
[2009/05/25 22:38:34] <agaffney> and then specify each node and tell it which classes to inherit
[2009/05/25 22:38:48] <agaffney> yeah, it's easier to include a class than to inherit from a node
[2009/05/25 22:38:55] <agaffney> since you can include multiple classes
[2009/05/25 22:39:01] <dixond> agaffney: right, so you end up with a long stanza per each node of all the relevant classes for that node?
[2009/05/25 22:39:10] <agaffney> not really
[2009/05/25 22:39:20] <agaffney> not unless you have *really* diverse hosts
[2009/05/25 22:39:32] <dixond> agaffney: I have a variety of really diverse hosts
[2009/05/25 22:39:36] <agaffney> heh
[2009/05/25 22:39:52] <dixond> agaffney: but they group together in sets, like 'the database hosts' and 'the web container hosts' etc.
[2009/05/25 22:40:06] <agaffney> use classes
[2009/05/25 22:40:13] <dixond> agaffney: it'd be nice to be able to say at a high level 'machine X is a webcontainer and load balancer'
[2009/05/25 22:40:17] <dixond> agaffney: hm
[2009/05/25 22:40:30] <agaffney> also, you can do: node 'node1', 'node2', 'node3', 'node4' {
[2009/05/25 22:40:37] <agaffney> I do that for my 6 identical DNS servers
[2009/05/25 22:41:02] <dixond> agaffney: ok... a hybrid of those two approaches might get me there... thanks for pointer.
[2009/05/25 22:41:57] <agaffney> I'm using both of those approaches
[2009/05/25 22:46:14] @ nwp joined channel #puppet
[2009/05/25 22:48:40] <dixond> hrm, can I break long lines in a .pp file with a '\' ?
[2009/05/25 22:49:12] <agaffney> that's a good question
[2009/05/25 22:49:14] <agaffney> [ line 81/86 (94%), col 558/558 (100%), char 2137/2363 (90%) ]
[2009/05/25 22:49:18] <agaffney> *cough*
[2009/05/25 22:49:55] <dixond> aha :)
[2009/05/25 22:51:14] <agaffney> a very long list of packages to uninstall on my centos machines
[2009/05/25 22:51:16] <agaffney> and it's growing :P
[2009/05/25 22:51:49] <agaffney> trying to get some older "normal" installs (GUI and all) down to a manageable level
[2009/05/25 22:51:58] <agaffney> 307 packages on one of my newer installs
[2009/05/25 22:52:27] <agaffney> 441 still on this centos 5.0 install that had a GUI
[2009/05/25 22:54:02] <dixond> ouch.
[2009/05/25 22:54:24] <agaffney> I cringe every time I have to use the KVM on one of these boxes and see a GDM login screen
[2009/05/25 22:54:30] <agaffney> especially when it's just a simple internal web server
[2009/05/25 22:59:22] @ shake-n-bake joined channel #puppet
[2009/05/25 23:05:38] @ Quit: yarihm_: "Leaving"
[2009/05/25 23:12:14] <comprehensive> has anyone tried mysql stored configs?
[2009/05/25 23:15:31] @ Quit: WALoeIII: "Bai."
[2009/05/25 23:27:25] @ Quit: shake-n-bake:
[2009/05/25 23:33:10] @ Quit: d3vilb0x:
[2009/05/25 23:34:00] @ Quit: lurbs: Remote closed the connection
[2009/05/25 23:49:05] @ shake-n-bake joined channel #puppet
« Sunday, 2009-05-24 Index Tuesday, 2009-05-26 »

Generated by irclog2html.py 2.6 by Marius Gedminas - find it at mg.pov.lt!