https://www.puppet.com/community logo
Join Slack
Powered by
# puppet
  • r
    I like that my question got read in to a lot, I was just asking a general question. lol I had been assuming that the agent's '30 minutes' restarted at the end of a run, I was clearly wrong when looking at the console. We had a bunch of VMs patch at the same time and reboot, so Puppet was running at very similar times on a lot of servers. Another engineer was complaining about CPU usage in a cluster and with my previous incorrect assumption I figured the issue was going to sort it self out after a few agent runs since the Puppet run times vary a lot on those servers.
  • r
    I had been assuming that the agent's '30 minutes' restarted at the end of a run, I was clearly wrong when looking at the console. We had a bunch of VMs patch at the same time and reboot, so Puppet was running at very similar times on a lot of servers. Another engineer was complaining about CPU usage in a cluster and with my previous incorrect assumption I figured the issue was going to sort it self out after a few agent runs since the Puppet run times vary a lot on those servers.
  • d
    allthethings _🩊Vox Pupuli monthly sync; see calendar event for info_ is about to start up in #CFD8Z9A4T
  • d
    kermit typing đŸ§‘â€đŸ«Puppet Core Team is about to start up in #CFD8Z9A4T
  • s
    This message was deleted.
    p
    c
    +2
    • 5
    • 19
  • s
    When using PupetDB, you can query your infra, but nothing prevent you from filtering for resource from the node itself. You will not get the info from the current run, but the info from the previous one which may be an issue for you. I use this pattern for monitoring setup: each node check its own certificates and some nodes check all certificates of the fleet:
    Copy code
    $query = $monitor_dehydrated ? {
    'all'      => 'resources [title, parameters] { type = "Dehydrated::Certificate" }',
    'self'     => "resources [title, parameters] { type = 'Dehydrated::Certificate' and certname = '${trusted['certname']}' }",
  }

  $endpoints = puppetdb_query($query).map |$value| { [] + $value.dig('title') + $value.dig('parameters', 'domains') }.flatten.unique.sort

  tls_checker::watch { 'dehydrated':
    endpoints =>  $endpoints,
  }
  • y
    Question about user resource type. Is there a way to signal impossible password hash like it is common across *nix platforms? In /etc/shadow (or /etc/passwd if shadow is not used), all I have to do is to enter an impossible string, such as “X” and “!!” in the password hash field.
  • v
    Copy code
    password         => '!!',
    👍 1
  • v
    this works
  • c
    if you’re directly editing /etc/passwd or /etc/shadow, I would use an augeas lens to do so. (or a perl one-liner
.I’m old.) If you want to just set the pw to specific string, do what @vchepkov did right there 👆
  • c
    honestly, you can still set the password as normal, but use a stupid long or complex password with a shell of something like /bin/false and nobody could login.
  • y
    actually, i need to allow a shell of sorts, just not with password
  • y
    i’m afraid
    Copy code
    password => '!!',
    is going to hash the string “!!“, instead of entering this string into hash field
  • s
    This message was deleted.
    y
    • 2
    • 2
  • c
    you have to manually create the password hash if you’re going to use it in the 
    password => '',
    attribute
    👍 1
  • l
    Hey folks, does anyone know how difficult it might be to get a puppet 7 agent running on a linux-arm64 machine? There is not a package for that platform that I'm aware of.
  • v
    I am running it on arm64?
  • v
  • l
    ohh. lemme see if that's in the debian repo too, must have missed it
  • l
  • l
    this is where I was looking.. maybe I can try the older focal client and see if it works
  • l
    yeah, the older client seems to work. Could a jammy version be made if it's not too much trouble?
  • y
    @vchepkov password => ’!!’, gives me another blank password hash, as if there’s no code change. (existing code doesn’t specify password) Agent output looks all normal
    Copy code
    
/User[myuser]/password: changed password

/Exec[unlock-myuser]/returns: executed successfully
  • y
    OK that output helped me identify the problem. If password is not specified, puppet actually uses ‘!!’ in the hash field. We have some code (“unlock”) to strip it. Also, the user resource doesn’t automatically hash. It simply enters the string into the hash field :=) The user is responsible to specify a hash algo and call explicitly.
  • s
    This message was deleted.
    b
    f
    • 3
    • 13
  • s
    This message was deleted.
    b
    d
    y
    • 4
    • 18
  • f
    This was always the primary
 not sure if setting up replication did some thing wacky

  • s
    This message was deleted.
    m
    • 2
    • 1
  • m
    how can I catch the error thrown by: 
    Facter::Util::Resolution.exec
    without pushing the fact and running puppet? If it's ruby I can try from 
    pry
    I have this line, and on all the servers (apart from the nomad servers) the file doesn't exist: 
    Facter::Util::Resolution.exec('cat /var/lib/nomad/server/node-id')
     
    _rescue_ XXXXXX
  • s
    This message was deleted.
    b
    m
    +2
    • 5
    • 24
1...345346347...428Latest