https://www.puppet.com/community logo
Join Slack
Powered by
# puppet
  • h
    but doing something like iterating over 
    keys($facts)
    ?
  • j
    That’s what I’m thinking, yes
  • h
    or 
    $facts.keys()
  • j
    I think it’s part of stdlib
  • h
    that particular function seems to be builtin
  • j
    Can’t remember if there are ruby-isms available in PP, like 
    $facts.keys().collect()
  • n
  • s
    This message was deleted.
    h
    • 2
    • 1
  • n
    Not necessarily, since you can remove the 
    undef
    values from the array afterwards. But also, there’s `filter()`: https://puppet.com/docs/puppet/7/function.html#filter
  • k
    Hi puppet! I'm trying to set up a new puppet7 server with puppetdb, but so far I'm unable to query 'pdb/query/v4/resources/Node' correctly, as it returns no output. - I can query 'pdb/query/v4/resources', minus the /Node portion, but the output looks incorrect - The goal is to query based on node tags during code deployments - This lives on a Foreman server, and I had it working at one point but it's since been broken after an accidental puppet.conf config rewrite, with no luck reproducing it. - puppetdb logs show it storing reports, catalogs and facts, but clearly somethings not communicating I'm thinking I must have SSL certs or permissions broken somewhere? I tried re-running ' puppetdb ssl-setup -f' but that didn't help either. Any help or pointers would mean a lot to me. Thanks all
    👍 1
  • j
    Is there a way to get certname dumped into the puppetserver-access.log ? I’m getting 403s that I’m trying to understand.
  • j
    Ugh. Getting permission denied on many of my endpoints
  • b
    is your auth.conf still broken?
  • j
    I mean. I guess. I can’t tell what’s wrong with it, though. I enabled the cert headers in the log and they say SUCCESS, so I’m guessing it’s not a client cert issue.
  • j
    I even changed the endpoint to a straight path endpoint with 
    allow: "*"
    and it’s still getting 403s.
  • b
    who is getting that error on which endpoint? agents when requesting a catalog?
  • l
    a default auth.conf is in the rpm/deb packages
  • l
    you might be able to grab it from there and diff
  • j
    agents requesting a catalog and trying to send a report after that.
  • c
    I think @Lumiere got the joy here. Go get a default and work up from there.
  • j
    I think the name is coming in as IP address.
  • j
    I’ve got an lb in front of some of my masters, so I guess I need 
    allow-header-cert-info: true
    on for those.
  • n
    Are you doing SSL termination on your own? You usually don’t need 
    allow-header-cert-info: true
    unless you are.
  • j
    I need to go look at that config. Possibly.
  • n
    And if you are doing SSL termination on your own, you’ll need to make sure you’re adding certain headers. For example, I terminate SSL via nginx in front of the puppetservers, and use this in my Nginx config:
    Copy code
    # Puppet expects the X-Client-Verify, X-Client-DN, and X-Client-Cert
# headers for authentication and trusted facts.
proxy_set_header    X-Client-Verify  $ssl_client_verify;
proxy_set_header    X-Client-DN      $ssl_client_s_dn;
proxy_set_header    X-Client-Cert    $ssl_client_escaped_cert;
  • n
    And if you are doing SSL termination on your own, you’ll need to make sure you’re adding certain headers. For example, I terminal SSL via nginx in front of the puppetservers, and use this in my Nginx config:
    Copy code
    # Puppet expects the X-Client-Verify, X-Client-DN, and X-Client-Cert
# headers for authentication and trusted facts.
proxy_set_header    X-Client-Verify  $ssl_client_verify;
proxy_set_header    X-Client-DN      $ssl_client_s_dn;
proxy_set_header    X-Client-Cert    $ssl_client_escaped_cert;
  • j
    Right. My module refactor wasn’t factoring in that some of our masters are behind balancers and some are not. The ones which aren’t work fine with that header set to false, but the ones behind balancers need it set to true.
  • n
    And if you are doing SSL termination on your own, you’ll need to make sure you’re adding certain headers. For example, I terminate SSL via nginx in front of the puppetservers, and use this in my Nginx config:
    Copy code
    # Puppet expects the X-Client-Verify, X-Client-DN, and X-Client-Cert
# headers for authentication and trusted facts.
proxy_set_header    X-Client-Verify  $ssl_client_verify;
proxy_set_header    X-Client-DN      $ssl_client_s_dn;
proxy_set_header    X-Client-Cert    $ssl_client_escaped_cert;
  • s
    This message was deleted.
    y
    • 2
    • 3
  • v
    Seems #C017HDDUQKX channel pretty much dead, so I'll ask here. I have trouble to use 
    include STRING
    match
    Copy code
    augtool> context /files/etc/httpd/conf.d/05-foreman-ssl.conf/
augtool> match VirtualHost/directive[. = 'ProxyPassReverse']
/files/etc/httpd/conf.d/05-foreman-ssl.conf/VirtualHost/directive[18] = ProxyPassReverse
/files/etc/httpd/conf.d/05-foreman-ssl.conf/VirtualHost/directive[20] = ProxyPassReverse
/files/etc/httpd/conf.d/05-foreman-ssl.conf/VirtualHost/directive[23] = ProxyPassReverse
/files/etc/httpd/conf.d/05-foreman-ssl.conf/VirtualHost/directive[33] = ProxyPassReverse
    How do I match entry with 
    arg[2]
    including 
    foreman.sock
    ?
    Copy code
    augtool> print /files/etc/httpd/conf.d/05-foreman-ssl.conf/VirtualHost/directive[33]
/files/etc/httpd/conf.d/05-foreman-ssl.conf/VirtualHost/directive[33] = "ProxyPassReverse"
/files/etc/httpd/conf.d/05-foreman-ssl.conf/VirtualHost/directive[33]/arg[1] = "/"
/files/etc/httpd/conf.d/05-foreman-ssl.conf/VirtualHost/directive[33]/arg[2] = "unix:///run/foreman.sock|<http://foreman/>"
1...129130131...428Latest