There are awesome puppet trainings that teach you that 🙂

i'm aware ... i did the old practitioner course right after they started not requiring students to physically travel to portland (the company was okay paying for the training but not the travel)

so reading the

install.bash

file from PE2023.8.5, it looks like this should work, but it doesn't ...

curl -kO <https://puppetserver.example.com:8140/packages/current/install.bash>
bash install.bash extension_requests:pp_environment=prod

it didn't create a

csr_attributes.yaml

file at all, and it didn't request a certificate (even after i fixed the typo)

this smells like a bug in the

install.bash

script, but i'll need to walk through it to be sure ... it's friday and i'm stopping early, so i'll come back to this on monday ... thanks again for pointing me in the right direction

I think script expect a switch maybe like this?

bash install.bash -s -- extension_requests:pp_environment=prod

The

-s

flag is required.

--

might cause an issue if it prevents

bash

from consuming the

-s

. Documentation here: https://help.puppet.com/pe/current/topics/customize-install-script.htm

ah right, other way around

the reason I was using -- is to pass

--puppet-service-ensure stopped

okay, i'm seeing the

-s

thing in the middle of a paragraph in that page, it's there but it's easy to miss ... however, reading through the

install.bash

script itself, i didn't see on friday and i'm not seeing now, where it recognizes

-s

as an option that means anything

just tried it with the

-s

in there ... the output ended with this:

Installed:
  puppet-agent-8.14.0-1.el9.x86_64

Complete!
+ set +x
Unable to interpret argument: '-s'. Expected flag or '<section>:<setting>=<value>' matching regex: '^(main|master|agent|user|custom_attributes|extension_requests):([^=]+)=(.*)$'
Error running install script /tmp/tmp.QoW5f7Foab

and i just checked the PE2023.8.5 version of that link, it also mentions the

-s

flag even though it doesn't appear to work

I think -s is a bash argument

Yup.

-s

is from

man bash

From the

Unable to interpret argument

message, it sounds like you may have used

--

as well. That terminates flag processing, so you have to make sure

-s

is behind it if used.

new question: is anybody using certificate extensions in hiera filenames? if so, can you verify that

%{trusted.extensions.pp_environment}

is the correct syntax to use the contents of an extension within a filename? (i still need to build a control repo and a dummy module before i'll be able to "try it" myself)

@jms1 yes that's correct

i love it when a plan comes together 😁

@austb has left the channel

Just got hit with unattended-upgrades updating java and multiple puppetserver instances on the same node error about java version mismatch. How does everyone/suggested way of dealing with this?

hi all , I use puppet with foreman, and get below error when I run

puppet agent -t:

Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Failed when searching for node myserver.local: Exception while executing '/etc/puppetlabs/puppet/node.rb': Cannot run program "/etc/puppetlabs/puppet/node.rb" (in directory "."): error=0, Failed to exec spawn helper: pid: 737167, exit value: 1

However, running the ENC script manually works fine, No errors are shown in this case.:

/etc/puppetlabs/puppet/node.rb myserver.local

@gary what kind of updates? java security updates? Or switchting from a major version to another?

@Neeloj switch to the puppet user and run

/etc/puppetlabs/puppet/node.rb myserver.local

Hello, does anyone use Puppetserver open source in AWS with AWS Secrets Manager as Hiera eyaml backend? Currently i work on project where we have Puppetserver 7.X in On-premise, and we are migrating to AWS. The main difference that in current environment we use Hiera eyaml GPG backend and in new environment there are push from management to switch to AWS Secrets Manager as Hiera eyaml backend. (no particular reason/justification, just to use more AWS Secrets Manager for storing secrets) When i look into it i can see a GitHub repo ( https://github.com/Accenture/hiera-aws-sm / https://forge.puppet.com/modules/accenture/hiera_aws_sm/readme ) with last commit in 2018 and some articles. But i cannot understand if it is working/stable/supported/future-proof solution. I would like to hear your thoughts and/or experience/advices

Give it a try and send a patch if it doesn't work?

Well, it makes sense, i just asked in parallel with "googling" if someone worked with it and if it was/is stable

You've got two questions here... Puppet in AWS and Hiera integration with AWS SSM. For the first question, yes, there are lots and lots of people using Puppet in AWS. I don't have a direct answer for the second question, though.

I use Hiera with AWS secrets as a backend. It’s a Forge module: https://forge.puppetlabs.com/modules/luizvasconceloss/hiera_ssm_paramstore/readme

Yeah, it would have to be a different backend.

hiera-eyaml

stores the encrypted data on disk in YAML files. If the data is being stored externally in a service, then that would have to be a different backend as

hiera-eyaml

only deals in files on disk.

question: i'm looking at the

openssl::export::pem_cert

defined type https://forge.puppet.com/modules/puppet/openssl/reference ... it looks like it has to read a PKCS#12 bag from disk? is there a way to make it read the value from a variable, or do i need to write it to disk first? is there a way to extract they certificate's PEM representation on the PE server and include the contents in the catalog? ... or is the idea to make the agent write a

.p12

file on the target machine somewhere, and then declare this type afterward, and which runs the appropriate

openssl

commands to read that file and write the

pem

file?