this breaks automation and makes EL9 the first non-standard (compared to previous releases)

is there a reason for this

Hmmm, I've miss-read this, the release file is in the root of yum.puppet.com but not in yum.puppet.com/puppet

what is the correct location for the release files is it the root of yum.puppet.com

This message was deleted.

This message was deleted.

fiddyspence is on the rise! (Karma: 1)

Looking for advice again! I've got roles/profiles with a base profile that installs (or removes!) all required packages. As part of CIS compliance, my base profile uninstalls "telnet-server" via (pseudo code)

$packages = lookup ("my:packages)

$packages.each | $package, $attributes| {package {$package: * => $attributes}

data/common.yaml:

my_packages:

bash:

ensure: installed

'telnet-server':

ensure: absent

if telnet installed. Unfortunately, I do have a BUNCH of servers in "barcode" profile that does require that "telnet-server" package be installed.

data/application/barcode.yaml:

my_packages:

'telnet-server':

ensure: installed

Obviously, this results in a duplicate resource definition when doing a lookup('my_packages') and Puppet complains. I'd hate to think that I need to take my package installation/removal code from the base profile and then put that package install code in every profile but I'm at a loss as to an easy way and easy-to-understand way to approach this. Any hints or advice?

Looking for advice again! I've got roles/profiles with a base profile that installs (or removes!) all required packages. As part of CIS compliance, my base profile uninstalls "telnet-server" via (pseudo code)

$packages = lookup ("my:packages)

$packages.each | $package, $attributes| {package {$package: * => $attributes}

data/common.yaml:

my_packages:

bash:

ensure: installed

'telnet-server':

ensure: absent

if telnet installed. Unfortunately, I do have a BUNCH of servers in "barcode" profile that does require that "telnet-server" package be installed.

data/application/barcode.yaml:

my_packages:

'telnet-server':

ensure: installed

Obviously, this results in a duplicate resource definition when doing a lookup('my_packages') and Puppet complains. I'd hate to think that I need to take my package installation/removal code from the base profile and then put that package install code in every profile but I'm at a loss as to an easy way and easy-to-understand way to approach this. Any hints or advice?

Could I create a my_packages hash in common.yaml and a "my_other_packages" in the application yaml and then join them together in a new variable with the "my_other_packages" overriding what's in the base profile "my_packages"?

Having the single hash, 'my_packages' certainly is a lot easier to understand.

My application module tries to install telnet-server via simple:

package {'telnet-server': ensure => installed}

so I don't know how to 'filter out' the $my_packages trying to uninstall it.

My application module tries to install telnet-server via simple:

package {'telnet-server': ensure => installed}

so I don't know how to 'filter out' the $my_packages trying to uninstall it.

so you've a global list of packages that you want to apply to most boxes, except for some? for each box you could define a $ignore_packages array in hiera and filter in your $packages based on that

and for barcode systems, you set

ignore_packages: ['telnet']

in hiera

You could drop the explicit package resource in your app module and use a merge lookup. For nodes where you want to override the common

my_packages

you set

telnet

to

install

. and then let hiera do that merge.

Or what bastelfreak said, if you cannot change the app module.

@bastelfreak Are you recommending that I do a loop around $my_packages and stdlib/delete any items that are in $ignore_packages and then use that resultant to 'filter out' the telnet package for my barcode servers? I'm not exactly sure what you're recommending [yet].

yes

This message was deleted.

Another option for you, similar to what @helindbe suggested, would be to leave out any packages that are possibly managed by your CIS controls from the package list and enforce them individually with their own static resources surrounded by

if

conditional blocks that are gated by boolean class parameters. This is how we have our CIS profiles set up. Each control has its own resources surrounded by if blocks tied to a class parameter named after the control so we can easily tell at a glance just from hiera which nodes are special snowflakes that violate CIS rules. You can even just set default values for each class parameter and only override in hiera.

message has been deleted

This message was deleted.

On a Puppet 6.22 install, queries like these are taking about 12s~18s on average to complete. The PGSQL instance is a CloudSQL and is not experiencing any resource contention (cpu, mem, disk/net io) issues.

WITH inactive_nodes AS (SELECT certname FROM certnames WHERE (deactivated IS NOT NULL AND deactivated > '2022-08-18T03:44:46.855Z') OR (expired IS NOT NULL and expired > '2022-08-18T03:44:46.855Z')), not_active_nodes AS (SELECT certname FROM certnames WHERE (deactivated IS NOT NULL OR expired IS NOT NULL)) SELECT certnames.certname AS \"certname\" FROM certnames LEFT JOIN catalogs ON catalogs.certname = certnames.certname LEFT JOIN factsets fs ON certnames.certname = fs.certname LEFT JOIN reports ON (certnames.certname = reports.certname AND certnames.latest_report_id = reports.id) LEFT JOIN environments catalog_environment ON catalog_environment.id = catalogs.environment_id LEFT JOIN report_statuses ON reports.status_id = report_statuses.id LEFT JOIN environments facts_environment ON facts_environment.id = fs.environment_id LEFT JOIN environments reports_environment ON reports_environment.id = reports.environment_id WHERE ((((certnames.certname) in (SELECT certname FROM  ( (SELECT fc.certname AS \"certname\" FROM (select certname, flattened.*   from factsets fs   left join lateral (     with recursive flattened_one (parent_path, parent_types, key, value, type) as (       select           array[]::text[],           '',           (jsonb_each(fs.stable||fs.volatile)).*,           's'       union all         select             parent_path || flattened_one.key,             parent_types || flattened_one.type,             sub_paths.key, sub_paths.value, sub_paths.type           from flattened_one           inner join lateral (             select               (jsonb_each(value)).*,               's' as type             where jsonb_typeof(value) = 'object'             union all             select                 generate_series::text as key,                 value->generate_series as value,                 'i' as type               from generate_series(0, jsonb_array_length(value) - 1)               where jsonb_typeof(value) = 'array'           ) as sub_paths on true     )     select         environment_id,         parent_path || key as path,         parent_types || type as types,         coalesce(parent_path[1], key) as name,         value       from flattened_one where not jsonb_typeof(value) = any('{\"array\", \"object\"}')   ) as flattened   on true) fc LEFT JOIN environments env ON fc.environment_id = env.id WHERE ((fc.path = (array['bc_cluster']) and fc.types = 's') AND (jsonb_typeof(\"value\") = $1 AND (value = $2)))) )  sub)) AND ((certnames.certname) in (SELECT certname FROM  ( (SELECT fc.certname AS \"certname\" FROM (select certname, flattened.*   from factsets fs   left join lateral (     with recursive flattened_one (parent_path, parent_types, key, value, type) as (       select           array[]::text[],           '',           (jsonb_each(fs.stable||fs.volatile)).*,           's'       union all         select             parent_path || flattened_one.key,             parent_types || flattened_one.type,             sub_paths.key, sub_paths.value, sub_paths.type           from flattened_one           inner join lateral (             select               (jsonb_each(value)).*,               's' as type             where jsonb_typeof(value) = 'object'             union all             select                 generate_series::text as key,                 value->generate_series as value,                 'i' as type               from generate_series(0, jsonb_array_length(value) - 1)               where jsonb_typeof(value) = 'array'           ) as sub_paths on true     )     select         environment_id,         parent_path || key as path,         parent_types || type as types,         coalesce(parent_path[1], key) as name,         value       from flattened_one where not jsonb_typeof(value) = any('{\"array\", \"object\"}')   ) as flattened   on true) fc LEFT JOIN environments env ON fc.environment_id = env.id WHERE ((fc.path = (array['location']) and fc.types = 's') AND (jsonb_typeof(\"value\") = $3 AND (value = $4)))) )  sub))) AND NOT ((certnames.certname) in (SELECT certname FROM  ( SELECT not_active_nodes.certname AS \"certname\" FROM not_active_nodes )  sub)))

Has anyone seen something similar before?

Hello, I want to add a module of pki in puppet master(production) and would like to install pki server with this only on my particular testing node. previously the pki server were installed manually and after adding this module it should install automatically for me on my testing node. There is already a folder in puppet master with name pki under ..../production/modules. I am not able to figure out how can this only install on my testing machine after i add the module in pki directory. Is it somewhere i need to specify that it only have to install for my testing machine.

When i run puppet agent -t , i am getting this error _Error: Stage[main]Pki/File[/etc/ssl/private/host.key]: could not evaluate:could not retrieve information from environment production source(s) file:///private_keys/puppetagent.test.org.pem_ Error: Stage[main]Pki/File[/etc/ssl/certs/host.crt]: could not evaluate:could not retrieve information from environment production source(s) file:///certs/puppetagent.test.org.pem Error: Stage[main]Pki/File[/etc/ssl/certs/host-ca.crt]: could not evaluate:could not retrieve information from environment production source(s) file:///certs/ca.pem

This message was deleted.

Que… ?

Warning: The current total number of facts: 5037 exceeds the number of facts limit: 2048