This message was deleted.

Don’t know how from Powershell, but have you tried

puppet resource user

? Also, where are you running this from? …how does this relate to Puppet? …are you trying to put this in a fact or something?

Yeah, I'm putting it in a fact. The problem with

puppet resource user

is that it doesn't distinguish between local and LDAP users. I only need the local ones. Don't want to run tens of thousands of LDAP queries per hour and definitely don't want to bloat puppetdb with the unnecessary info.

Does this also gather LDAP users? https://github.com/natemccurdy/windows_account_names/blob/main/lib/facter/windows_accounts.rb#L14

Looking at the

windows_adsi

provider for the

user

resource gave me an idea: https://github.com/puppetlabs/puppet/blob/main/lib/puppet/provider/user/windows_adsi.rb Try something like this:

require 'puppet'
all_local_users = Puppet::Util::Windows::User.list_all()

That’s a function from this util class: https://github.com/puppetlabs/puppet/blob/main/lib/puppet/util/windows/adsi.rb#L303-L305 No idea if that’ll work… but seems interesting.

message has been deleted

I think also several windows puppet providers that call powershell haven't made the switch to ruby pwsh gem, and that is causing puppet to spend time instantiating powershell unnecessarily.

also most of the nodes I use, don't have internet access. What I realized was that by shutting off certificate revocation checks on those [an HKEY USER setting, but modified all hives through some registry magic] caused speed increases of puppet runs by 3X [24 second nochange runs became 8sec] so i think was most of the processing time. still digging for any other wasteful activity

A best-practice question: I recently wired in

pre-commit

hooks into my repo, and enabled

puppet-lint

using the Vox Pupuli recommended puppet-lint-* gems. I got a bit of carping from

puppet-lint-top_scope_facts-check

. In my earlier puppet journey, I placed our top org level facts in

~/manifests/site.pp

as $gbl_* variables that I continue to reference in my codebase. ( collections of ipaddrs, FQDNs, CIDR ranges, groups of usernames ). Having just written a bunch of

# lint:ignore:top_scope_facts

lines to get

pre-commit

to pass, I realize I need to refactor this beginner pattern of mine. So looking for a best-practices recommendation here. Thanks in advance 🙏🙇

Make a $<organization_name> class or profiles::global e.g. and put all your global vars there as class parameter values

why do you even use variables for this and dont reference facts directly. do you need to abstract it away?

Any way to get some attention on https://tickets.puppetlabs.com/browse/MODULES-11219? We are starting to run into major issues with https://tickets.puppetlabs.com/browse/SERVER-2862 (as we add more machines). We are using • Puppet Server: 7.9.1 • Java VM: OpenJDK 64-Bit Server VM (25.332-b09 mixed mode linux-amd64 compressed oops) • puppetlabs/stdlib: 8.2.0

Any way to get some attention on https://tickets.puppetlabs.com/browse/MODULES-11219? We are starting to run into major issues with https://tickets.puppetlabs.com/browse/SERVER-2862 (as we add more machines). We are using • Puppet Server: 7.9.1 • Java VM: OpenJDK 64-Bit Server VM (25.332-b09 mixed mode linux-amd64 compressed oops) • puppetlabs/stdlib: 8.2.0

seeing this error

Info: Not using expired certificate for ca from cache; expired at 2022-09-27 17:54:39 UTC
Info: Not using expired certificate for ca from cache; expired at 2022-09-27 17:54:39 UTC
Info: Not using expired certificate for ca from cache; expired at 2022-09-27 17:54:39 UTC
Info: Not using expired certificate for ca from cache; expired at 2022-09-27 17:54:39 UTC
Error: Could not run: stack level too deep

we are using puppet version 4.10.12. I was trying to find the documentation regarding this version but could not find it. and googling also gives quite a different option. Does anyone have experience renewing CA certificate on this version?

@vinod check

puppet ca --help

or something like that, but once a certificate is expired, it is "too late" to renew it: as the agent cannot reach the server anymore, you can't have it download the renewed certificate by having some code in the node catalog. You will have to deal with this situation on all concerned nodes of your fleet.

Maybe

puppet ca list

can tell you which certificates are expired / about to expire

This message was deleted.

hey Puppeteers, I am trying to connect my code using templates and manifests file. The only thing that holds me back is the creation of directory. I tried including file { 'name of file': and then the path for the file. There is a directory that needs to be created called "content_includes". The path that goes for the ".tt" file is located in this directory but this direcotry by default does not exists. How should I create this directory? do I write a new class "directories" or?

This message was deleted.

is there a way to see how long individual facts take to process?

i guess i can run agent debug and look at timestamps

This message was deleted.

there used to be

--timing

option, but it died with cfacter

actually its there with facter cmd, just not puppet facts. cool

i don't think that those #s reflect the sum of fact generation. i see fact_generation values all over the map from 3s to 20s. trying to figure out why.

This message was deleted.

This message was deleted.

I just tested this in the

puppet/puppet-agent-ubuntu

Docker image with

moreutils

installed and the following oneliner:

bash
( puppet apply -t --debug |& ts -i %.S )  <<EOF
class main() {
  notify { 'omg': }
}
EOF

I just tested this in the

puppet/puppet-agent-ubuntu

Docker image with

moreutils

installed and the following oneliner:

sh
( puppet apply -t --debug |& ts -i %.S )  <<EOF
class main() {
  notify { 'omg': }
}
EOF