Discussion:
Func 0.27 + Puppet
Norvell, Preston
2011-03-30 23:42:48 UTC
Permalink
I've read the func man page and trolled the list as much as I can to find an answer to this; apologies if I've been blind.

I'm interested in running Func in conjunction with our pre-existing Puppet infrastructure. Per the wiki <https://fedorahosted.org/func/wiki/FuncWithPuppet> the wiki itself is no longer an appropriate reference for doing the integration work as of 0.27 (I've got func-0.27 from rpmforge and certmaster-0.27 from another location). Is there a reference for what the new proper integration is? I am (and my team is) new to Func so perhaps I'm missing something that would intuitive to a seasoned user, but I'm down to reading the patch commits and such to try to figure things out. I would appreciate any pointers, and I'd be happy to provide an updated wiki page if one is not already elsewhere.

Thanks,

;P mn

--
Preston M Norvell <preston.norvell-sdKh1AwYtnTe9wHmmfpqLFaTQe2KTcn/@public.gmane.org>
Systems/Network Engineer
Serials Solutions <http://www.serialssolutions.com>
Phone: (866) SERIALS (737-4257) ext 1094
Greg Swift
2011-03-31 02:11:27 UTC
Permalink
On Wed, Mar 30, 2011 at 18:42, Norvell, Preston <
Post by Norvell, Preston
I've read the func man page and trolled the list as much as I can to find
an answer to this; apologies if I've been blind.
I'm interested in running Func in conjunction with our pre-existing Puppet
infrastructure. Per the wiki <
https://fedorahosted.org/func/wiki/FuncWithPuppet> the wiki itself is no
longer an appropriate reference for doing the integration work as of 0.27
(I've got func-0.27 from rpmforge and certmaster-0.27 from another
location). Is there a reference for what the new proper integration is? I
am (and my team is) new to Func so perhaps I'm missing something that would
intuitive to a seasoned user, but I'm down to reading the patch commits and
such to try to figure things out. I would appreciate any pointers, and I'd
be happy to provide an updated wiki page if one is not already elsewhere.
I've never set it up, and this might not work (but i hope it can at least
get you going the right direction till someone more in the know answers),
however to the best of my knowledge:

1: overlord must be on the same host as puppetmaster
2: in /etc/func/overlord.conf:
a: you need to set "puppet_minions = True" under the [main] section.
b: set ca_file, cert_file, key_file based on where puppet places its
files
c: If the following is not true for you environment you need to set
how your system is configured in /etc/func/overlord.conf:
puppet_inventory = /var/lib/puppet/ssl/ca/inventory.txt
puppet_signed_certs_dir = /var/lib/puppet/ssl/ca/ca_crl.pem
3: On minion in /etc/func/minion.conf:
a: set "use_certmaster = False"
b: set ca_file, cert_file, key_file, and crl_location paths based on
where puppet places its files
c: start daemon
4: Back on overlord try running 'func "*" ping'

If that doesn't work then 2b might need to be augmented with the previous
"passphrase/key removal" steps from the wiki.

Cleanup help on the wiki is always appreciated :)

-greg/xaeth
Norvell, Preston
2011-04-01 17:41:15 UTC
Permalink
Thanks much. I have things up and running with a couple mods from below. Once I've got a good, repeatable process down, I'll update the wiki page.

;P mn
Post by Norvell, Preston
I've read the func man page and trolled the list as much as I can to find an answer to this; apologies if I've been blind.
I'm interested in running Func in conjunction with our pre-existing Puppet infrastructure. Per the wiki <https://fedorahosted.org/func/wiki/FuncWithPuppet> the wiki itself is no longer an appropriate reference for doing the integration work as of 0.27 (I've got func-0.27 from rpmforge and certmaster-0.27 from another location). Is there a reference for what the new proper integration is? I am (and my team is) new to Func so perhaps I'm missing something that would intuitive to a seasoned user, but I'm down to reading the patch commits and such to try to figure things out. I would appreciate any pointers, and I'd be happy to provide an updated wiki page if one is not already elsewhere.
1: overlord must be on the same host as puppetmaster
a: you need to set "puppet_minions = True" under the [main] section.
b: set ca_file, cert_file, key_file based on where puppet places its files
puppet_inventory = /var/lib/puppet/ssl/ca/inventory.txt
puppet_signed_certs_dir = /var/lib/puppet/ssl/ca/ca_crl.pem
a: set "use_certmaster = False"
b: set ca_file, cert_file, key_file, and crl_location paths based on where puppet places its files
c: start daemon
4: Back on overlord try running 'func "*" ping'
If that doesn't work then 2b might need to be augmented with the previous "passphrase/key removal" steps from the wiki.
Cleanup help on the wiki is always appreciated :)
-greg/xaeth
--
Preston M Norvell <preston.norvell-sdKh1AwYtnTe9wHmmfpqLFaTQe2KTcn/@public.gmane.org>
Systems/Network Engineer
Serials Solutions <http://www.serialssolutions.com>
Phone: (866) SERIALS (737-4257) ext 1094
Greg Swift
2011-04-01 18:04:24 UTC
Permalink
glad to hear
Post by Norvell, Preston
Thanks much. I have things up and running with a couple mods from below.
Once I've got a good, repeatable process down, I'll update the wiki page.
;P mn
Post by Greg Swift
On Wed, Mar 30, 2011 at 18:42, Norvell, Preston
I've read the func man page and trolled the list as much as I can to find
an answer to this; apologies if I've been blind.
I'm interested in running Func in conjunction with our pre-existing Puppet
infrastructure. Per the wiki
<https://fedorahosted.org/func/wiki/FuncWithPuppet> the wiki itself is no
longer an appropriate reference for doing the integration work as of 0.27
(I've got func-0.27 from rpmforge and certmaster-0.27 from another
location). Is there a reference for what the new proper integration is?
I am (and my team is) new to Func so perhaps I'm missing something that
would intuitive to a seasoned user, but I'm down to reading the patch
commits and such to try to figure things out. I would appreciate any
pointers, and I'd be happy to provide an updated wiki page if one is not
already elsewhere.
I've never set it up, and this might not work (but i hope it can at least
get you going the right direction till someone more in the know answers),
1: overlord must be on the same host as puppetmaster
a: you need to set "puppet_minions = True" under the [main] section.
b: set ca_file, cert_file, key_file based on where puppet places its files
c: If the following is not true for you environment you need to set
puppet_inventory = /var/lib/puppet/ssl/ca/inventory.txt
puppet_signed_certs_dir = /var/lib/puppet/ssl/ca/ca_crl.pem
a: set "use_certmaster = False"
b: set ca_file, cert_file, key_file, and crl_location paths based on
where puppet places its files
c: start daemon
4: Back on overlord try running 'func "*" ping'
If that doesn't work then 2b might need to be augmented with the previous
"passphrase/key removal" steps from the wiki.
Cleanup help on the wiki is always appreciated :)
-greg/xaeth
--
Systems/Network Engineer
Serials Solutions <http://www.serialssolutions.com>
Phone: (866) SERIALS (737-4257) ext 1094
Filip Slunecko
2011-04-06 10:27:13 UTC
Permalink
Hi,

I'm trying to unify puppet with func too, but I'm still getting this error:

Error: [('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert bad certificate'),
('SSL routines', 'SSL3_READ_BYTES', 'ssl handshake failure')]

Minion config

[main]
log_level = INFO
acl_dir = /etc/func/minion-acl.d

listen_addr =
listen_port = 51234
minion_name = test-machine.test.org
method_log_dir = /var/log/func/methods/
use_certmaster = False

ca_file=/var/lib/puppet/ssl/certs/ca.pem
cert_file=/var/lib/puppet/ssl/certs/test-machine.test.org.pem
key_file=/var/lib/puppet/ssl/private_keys/test-machine.test.org.pem
crl_location=/var/lib/puppet/ssl/crl.pem

overlord.conf

# configuration for overlord

[main]
socket_timeout = 0
backend = conf
group_db =
puppet_minions = True

Could you please guide me in the right way?

Thank you

Filip
Post by Greg Swift
On Wed, Mar 30, 2011 at 18:42, Norvell, Preston <
Post by Norvell, Preston
I've read the func man page and trolled the list as much as I can to find
an answer to this; apologies if I've been blind.
I'm interested in running Func in conjunction with our pre-existing Puppet
infrastructure. Per the wiki <
https://fedorahosted.org/func/wiki/FuncWithPuppet> the wiki itself is no
longer an appropriate reference for doing the integration work as of 0.27
(I've got func-0.27 from rpmforge and certmaster-0.27 from another
location). Is there a reference for what the new proper integration is? I
am (and my team is) new to Func so perhaps I'm missing something that would
intuitive to a seasoned user, but I'm down to reading the patch commits and
such to try to figure things out. I would appreciate any pointers, and I'd
be happy to provide an updated wiki page if one is not already elsewhere.
I've never set it up, and this might not work (but i hope it can at least
get you going the right direction till someone more in the know answers),
1: overlord must be on the same host as puppetmaster
a: you need to set "puppet_minions = True" under the [main] section.
b: set ca_file, cert_file, key_file based on where puppet places its
files
c: If the following is not true for you environment you need to set
puppet_inventory = /var/lib/puppet/ssl/ca/inventory.txt
puppet_signed_certs_dir = /var/lib/puppet/ssl/ca/ca_crl.pem
a: set "use_certmaster = False"
b: set ca_file, cert_file, key_file, and crl_location paths based on
where puppet places its files
c: start daemon
4: Back on overlord try running 'func "*" ping'
If that doesn't work then 2b might need to be augmented with the previous
"passphrase/key removal" steps from the wiki.
Cleanup help on the wiki is always appreciated :)
-greg/xaeth
_______________________________________________
Func-list mailing list
https://www.redhat.com/mailman/listinfo/func-list
seth vidal
2011-04-06 13:58:21 UTC
Permalink
Post by Filip Slunecko
Hi,
Error: [('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert bad
certificate'), ('SSL routines', 'SSL3_READ_BYTES', 'ssl handshake
failure')]
Minion config
[main]
log_level = INFO
acl_dir = /etc/func/minion-acl.d
listen_addr =
listen_port = 51234
minion_name = test-machine.test.org
method_log_dir = /var/log/func/methods/
use_certmaster = False
ca_file=/var/lib/puppet/ssl/certs/ca.pem
cert_file=/var/lib/puppet/ssl/certs/test-machine.test.org.pem
key_file=/var/lib/puppet/ssl/private_keys/test-machine.test.org.pem
crl_location=/var/lib/puppet/ssl/crl.pem
overlord.conf
# configuration for overlord
[main]
socket_timeout = 0
backend = conf
group_db =
puppet_minions = True
Could you please guide me in the right way?
Thank you
Here's a script I use to setup the minion configs properly.

http://skvidal.fedorapeople.org/misc/make-minion-conf.sh.txt



on the overlord side you'll need to specify the path to the puppet CA
certificates.

often they are

ca_file=/var/lib/puppet/ssl/ca/ca_crt.pem
key_file=/var/lib/puppet/ssl/ca/ca_dec_key.pem
cert_file=/var/lib/puppet/ssl/ca/ca_crt.pem

-sv
Filip Slunecko
2011-04-06 14:54:23 UTC
Permalink
Thank you. Everything runs fine now.
Problem was at overlord certificate paths.

Filip
Post by seth vidal
Post by Filip Slunecko
Hi,
Error: [('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert bad
certificate'), ('SSL routines', 'SSL3_READ_BYTES', 'ssl handshake
failure')]
Minion config
[main]
log_level = INFO
acl_dir = /etc/func/minion-acl.d
listen_addr =
listen_port = 51234
minion_name = test-machine.test.org
method_log_dir = /var/log/func/methods/
use_certmaster = False
ca_file=/var/lib/puppet/ssl/certs/ca.pem
cert_file=/var/lib/puppet/ssl/certs/test-machine.test.org.pem
key_file=/var/lib/puppet/ssl/private_keys/test-machine.test.org.pem
crl_location=/var/lib/puppet/ssl/crl.pem
overlord.conf
# configuration for overlord
[main]
socket_timeout = 0
backend = conf
group_db =
puppet_minions = True
Could you please guide me in the right way?
Thank you
Here's a script I use to setup the minion configs properly.
http://skvidal.fedorapeople.org/misc/make-minion-conf.sh.txt
on the overlord side you'll need to specify the path to the puppet CA
certificates.
often they are
ca_file=/var/lib/puppet/ssl/ca/ca_crt.pem
key_file=/var/lib/puppet/ssl/ca/ca_dec_key.pem
cert_file=/var/lib/puppet/ssl/ca/ca_crt.pem
-sv
seth vidal
2011-04-06 16:20:23 UTC
Permalink
Post by Filip Slunecko
Thank you. Everything runs fine now.
Problem was at overlord certificate paths.
Great, glad to hear it.

-sv
Jan-Frode Myklebust
2011-04-25 12:38:39 UTC
Permalink
Post by Norvell, Preston
I'm interested in running Func in conjunction with our pre-existing Puppet
infrastructure. Per the wiki
<https://fedorahosted.org/func/wiki/FuncWithPuppet> the wiki itself is no
longer an appropriate reference for doing the integration work as of 0.27
I updated this routine now. Could you please read trough it and see if you
agree?



-jf
Norvell, Preston
2011-04-26 19:01:43 UTC
Permalink
Apologies to the list for the thread skip here and not updating the wiki myself. I tried to, but sans logon was denied, then got distracted by other things at work.

Reading through it, I have a couple comments:
- I have found no need to modify anything in /etc/certmaster on either the overlords or minions
- Depending on where you get your RPM (I get mine currently from RPMForge), it may want to install/run certmaster by default. It should be disabled.
- There is a nascent puppet module to manage minion and overlord configurations here: http://forge.puppetlabs.com/rodjek/func. I used it as the beginning of my work and hope to push the changes back up stream to the author. It might be good to let folks know it exists.
- I found that I needed to create an acl file in /etc/minion-acl.d with the hostname-certhash of the overlord/puppetmaster on each minion, because rather than defaulting to "*" it defaults to "foo" (literally) for the acl.

Hope that helps, and thanks much for updating the page.

;P mn
Date: Mon, 25 Apr 2011 14:38:39 +0200
Subject: Re: [Func-list] Func 0.27 + Puppet
Content-Type: text/plain; charset=us-ascii
Post by Norvell, Preston
I'm interested in running Func in conjunction with our pre-existing Puppet
infrastructure. Per the wiki
<https://fedorahosted.org/func/wiki/FuncWithPuppet> the wiki itself is no
longer an appropriate reference for doing the integration work as of 0.27
I updated this routine now. Could you please read trough it and see if you
agree?
-jf
------------------------------
_______________________________________________
Func-list mailing list
https://www.redhat.com/mailman/listinfo/func-list
End of Func-list Digest, Vol 44, Issue 10
*****************************************
--
Preston M Norvell <preston.norvell-sdKh1AwYtnTe9wHmmfpqLFaTQe2KTcn/@public.gmane.org>
Systems/Network Engineer
Serials Solutions <http://www.serialssolutions.com>
Phone: (866) SERIALS (737-4257) ext 1094
Todd Zullinger
2011-04-27 05:45:02 UTC
Permalink
Post by Norvell, Preston
- Depending on where you get your RPM (I get mine currently from
RPMForge), it may want to install/run certmaster by default. It
should be disabled.
I believe this is https://bugzilla.redhat.com/show_bug.cgi?id=540764
which is caused by the "Default-Start: 3 4 5" line in the stock init
script. I think that line (and perhaps Default-Stop) should simply be
dropped.
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A pessimist is a person who has had to listen to too many optimists.
-- Don Marquis
Jan-Frode Myklebust
2011-04-26 19:29:16 UTC
Permalink
Post by Norvell, Preston
- I have found no need to modify anything in /etc/certmaster on either the overlords or minions
I use the EPEL packages, and they have certmaster=certmaster in
/etc/certmaster/minion.conf, and then the minions fails to start.
Post by Norvell, Preston
- Depending on where you get your RPM (I get mine currently from
RPMForge), it may want to install/run certmaster by default. It should
be disabled.
Oh.. I hadn´t noticed. Thanks!

IMHO that´s a bug in the packaging... skvidal ?
Post by Norvell, Preston
- There is a nascent puppet module to manage minion and overlord configurations here: http://forge.puppetlabs.com/rodjek/func. I used it as the beginning of my work and hope to push the changes back up stream to the author. It might be good to let folks know it exists.
I wrote my own yesterday ->

http://blag.tanso.net/2011/04/13-puppet-as-certmaster-for-func/
Post by Norvell, Preston
- I found that I needed to create an acl file in /etc/minion-acl.d with the hostname-certhash of the overlord/puppetmaster on each minion, because rather than defaulting to "*" it defaults to "foo" (literally) for the acl.
I didn´t need that. My minion-acl.d/ is empty, and I can access the minions
from the overlord. Hmm.. guess I need to understand the access control
model of func better..


-jf
Greg Swift
2011-04-27 13:12:17 UTC
Permalink
Post by Jan-Frode Myklebust
Post by Norvell, Preston
- I have found no need to modify anything in /etc/certmaster on either the overlords or minions
I use the EPEL packages, and they have certmaster=certmaster in
/etc/certmaster/minion.conf, and then the minions fails to start.
If you have certmaster resolvable in the local search domain then
there is nothing to edit. if you don't then, yes, you need to set the
certmaster setting to a valid dns/ip entry
Post by Jan-Frode Myklebust
Post by Norvell, Preston
- Depending on where you get your RPM (I get mine currently from
RPMForge), it may want to install/run certmaster by default.  It should
be disabled.
Oh.. I hadn´t noticed. Thanks!
IMHO that´s a bug in the packaging... skvidal ?
The init script has to have the appropriate settings in it, such as
the default start and stop levels that are present. Otherwise they
wouldn't be compliant, and if you run a reset or on on the service it
wouldn't be put in the appropriate run levels. That being said...
maybe we should add and then disable certmaster on installation right
now. However, there was a discussion the other day about trying to
make func and certmaster play nicer on the minions. I'll be posting
it up as soon as I get some time on the home PC where its stored for
me to use as a reference.


-greg
Greg Swift
2011-04-27 14:50:11 UTC
Permalink
Post by Greg Swift
Post by Jan-Frode Myklebust
IMHO that´s a bug in the packaging... skvidal ?
The init script has to have the appropriate settings in it, such as
the default start and stop levels that are present.  Otherwise they
wouldn't be compliant, and if you run a reset or on on the service it
wouldn't be put in the appropriate run levels.
Hmm.. you have the correct setting for "# chkconfig: - 98 99", but
       # Default-Start: 3 4 5
       # Default-Stop: 0 1 2 6
Are you saying this are required to be present in INIT INFO to be lsb
compliant ? I see many initscripts on my systems without these defined..
       # chkconfig: - 85 15
       <snip>
       ### BEGIN INIT INFO
       # Provides: httpd
       # Required-Start: $local_fs $remote_fs $network $named
       # Required-Stop: $local_fs $remote_fs $network
       # Should-Start: distcache
       # Short-Description: start and stop Apache HTTP Server
       # Description: The Apache HTTP Server is an extensible server
       #  implementing the current HTTP standards.
       ### END INIT INFO
I am not saying it is required to be compliant, I'm saying that it is
syntactically correct. I may be wrong, but I hold to what I say. In
the old chkconfig method you defined start and stop order, and orders
it should be on in when enabled. Why would you not do the same in the
new? Yes, it is not defined as a required option, and some might
consider it such. However, we are defining the appropriate run levels
for the service to be running in when it is enabled. Thus going back
to what I said before. Maybe when we do the installation of
certmaster, we should then ensure that it is disabled. If we take out
the Default-{Start,Stop} lines we can accomplish this, but then aren't
properly defining what run levels it should run in as well. This is
the approach Apache (or red hat) seems to have taken in the example
you provide, but does not mean it is the only or that there is only
one right way. At this point its just personal preference on which
way is better to implement it, as they provide very similar (all be
it, not the same) results.

I am interpreting from the Default-{Start,Stop} definitions in the
LSB: http://refspecs.linux-foundation.org/LSB_3.2.0/LSB-Core-generic/LSB-Core-generic/initscrcomconv.html

(jf - sorry i didn't hit reply to all the first time)

-greg
Jan-Frode Myklebust
2011-04-27 17:15:47 UTC
Permalink
Post by Greg Swift
I am not saying it is required to be compliant, I'm saying that it is
syntactically correct. I may be wrong, but I hold to what I say. In
the old chkconfig method you defined start and stop order, and orders
it should be on in when enabled. Why would you not do the same in the
new?
You´re not doing the same in new and old. In the old method you define
start and stop order, yes, but you don´t define which runlevels it should
default start/stop in (notice the "-" in the chkconfig line).

Also, the recommendation for fedora packaging says about Default-Start:

Each Fedora SysV-style initscript which needs to start by default in any
runlevel must include this line in the LSB Header, and it must match the
list of runlevels defined for startup in the Chkconfig header. Only
services which are really required for a vital system should define
runlevels here.

Ref:
http://fedoraproject.org/wiki/Packaging/SysVInitScript#.23_Default-Start:_line

The reason I´m objecting is both that I think this is a bad default
security wise (principle of least surprise -- it surprised me that a
func dependency suddenly installed a network listening daemon that
func didn´t need), and also it forces me to add logic to work around
this when deploying minions trough puppet.


-jf
Greg Swift
2011-04-27 18:49:42 UTC
Permalink
Post by Greg Swift
I am not saying it is required to be compliant, I'm saying that it is
syntactically correct. I may be wrong, but I hold to what I say.  In
the old chkconfig method you defined start and stop order, and orders
it should be on in when enabled.  Why would you not do the same in the
new?
You´re not doing the same in new and old.  In the old method you define
start and stop order, yes, but you don´t define which runlevels it should
default start/stop in (notice the "-" in the chkconfig line).
Okay.. func/certmaster don't seem to, you are correct. I was basing
my statement on every time I've written a init script. I didn't write
these. And the fact that we weren't doing it for the old chkconfig
header didn't click in my head.
       Each Fedora SysV-style initscript which needs to start by default in any
       runlevel must include this line in the LSB Header, and it must match the
       list of runlevels defined for startup in the Chkconfig header. Only
       services which are really required for a vital system should define
       runlevels here.
       http://fedoraproject.org/wiki/Packaging/SysVInitScript#.23_Default-Start:_line
Since the Fedora guidelines are more specific about this than LSB, and
define which of the two ways I mentioned earlier to address this, then
thats fine, we can follow them.
The reason I´m objecting is both that I think this is a bad default
security wise (principle of least surprise -- it surprised me that a
func dependency suddenly installed a network listening daemon that
func didn´t need), and also it forces me to add logic to work around
this when deploying minions trough puppet.
I agree that we needed to make sure it isn't starting something just
because it installed certmaster (or func for that matter). It is a
problem, and needs to be resolved.

seth, do you see any problem with removing the default-start and stop
lines from the init scripts?

-greg
seth vidal
2011-04-27 19:23:14 UTC
Permalink
Post by Greg Swift
Post by Jan-Frode Myklebust
Post by Greg Swift
I am not saying it is required to be compliant, I'm saying that it is
syntactically correct. I may be wrong, but I hold to what I say. In
the old chkconfig method you defined start and stop order, and orders
it should be on in when enabled. Why would you not do the same in the
new?
You´re not doing the same in new and old. In the old method you define
start and stop order, yes, but you don´t define which runlevels it should
default start/stop in (notice the "-" in the chkconfig line).
Okay.. func/certmaster don't seem to, you are correct. I was basing
my statement on every time I've written a init script. I didn't write
these. And the fact that we weren't doing it for the old chkconfig
header didn't click in my head.
Post by Jan-Frode Myklebust
Each Fedora SysV-style initscript which needs to start by default in any
runlevel must include this line in the LSB Header, and it must match the
list of runlevels defined for startup in the Chkconfig header. Only
services which are really required for a vital system should define
runlevels here.
http://fedoraproject.org/wiki/Packaging/SysVInitScript#.23_Default-Start:_line
Since the Fedora guidelines are more specific about this than LSB, and
define which of the two ways I mentioned earlier to address this, then
thats fine, we can follow them.
Post by Jan-Frode Myklebust
The reason I´m objecting is both that I think this is a bad default
security wise (principle of least surprise -- it surprised me that a
func dependency suddenly installed a network listening daemon that
func didn´t need), and also it forces me to add logic to work around
this when deploying minions trough puppet.
I agree that we needed to make sure it isn't starting something just
because it installed certmaster (or func for that matter). It is a
problem, and needs to be resolved.
seth, do you see any problem with removing the default-start and stop
lines from the init scripts?
nope.

-sv
Todd Zullinger
2011-06-02 17:58:17 UTC
Permalink
Starting daemons by default should be avoided.
---
Post by Greg Swift
seth, do you see any problem with removing the default-start and stop
lines from the init scripts?
nope.
I didn't see this ever get submitted or applied. So here's the
trivial patch to make it so. I'll send a follow-up patch for funcd as
well.

init-scripts/certmaster | 2 --
1 files changed, 0 insertions(+), 2 deletions(-)

diff --git a/init-scripts/certmaster b/init-scripts/certmaster
index 5e6f0b1..4642f81 100755
--- a/init-scripts/certmaster
+++ b/init-scripts/certmaster
@@ -8,8 +8,6 @@
### BEGIN INIT INFO
# Provides: certmaster
# Required-Start: network
-# Default-Start: 3 4 5
-# Default-Stop: 0 1 2 6
# Short-Description: certificate master for Fedora Unified Network Control 'master server only'
# Description: certificate master to sign/manage ca/cert infrastructure
### END INIT INFO
--
1.7.4.4
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disobedience: The silver lining to the cloud of servitude.
-- Ambrose Bierce
seth vidal
2011-06-02 18:32:28 UTC
Permalink
Post by Todd Zullinger
Starting daemons by default should be avoided.
---
Post by Greg Swift
seth, do you see any problem with removing the default-start and stop
lines from the init scripts?
nope.
I didn't see this ever get submitted or applied. So here's the
trivial patch to make it so. I'll send a follow-up patch for funcd as
well.
init-scripts/certmaster | 2 --
1 files changed, 0 insertions(+), 2 deletions(-)
diff --git a/init-scripts/certmaster b/init-scripts/certmaster
index 5e6f0b1..4642f81 100755
--- a/init-scripts/certmaster
+++ b/init-scripts/certmaster
@@ -8,8 +8,6 @@
### BEGIN INIT INFO
# Provides: certmaster
# Required-Start: network
-# Default-Start: 3 4 5
-# Default-Stop: 0 1 2 6
# Short-Description: certificate master for Fedora Unified Network Control 'master server only'
# Description: certificate master to sign/manage ca/cert infrastructure
### END INIT INFO
--
1.7.4.4
applied thx
-sv

Todd Zullinger
2011-06-02 18:10:59 UTC
Permalink
Starting daemons by default should be avoided.
---
Here's a patch to not start funcd by default as well.

init-scripts/funcd | 2 --
1 files changed, 0 insertions(+), 2 deletions(-)

diff --git a/init-scripts/funcd b/init-scripts/funcd
index 4aa6f53..f72fb05 100755
--- a/init-scripts/funcd
+++ b/init-scripts/funcd
@@ -9,8 +9,6 @@
# Provides: funcd
# Required-Start: network
# Required-Stop:
-# Default-Start: 3 4 5
-# Default-Stop: 0 1 2 6
# Short-Description: Fedora Unified Network Control
# Description: Crazy simple, secure remote management.
### END INIT INFO
--
1.7.4.4
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Learn from the mistakes of others. You can't live long enough to make
them all yourself.
seth vidal
2011-06-02 18:32:35 UTC
Permalink
Post by Todd Zullinger
Starting daemons by default should be avoided.
---
Here's a patch to not start funcd by default as well.
init-scripts/funcd | 2 --
1 files changed, 0 insertions(+), 2 deletions(-)
diff --git a/init-scripts/funcd b/init-scripts/funcd
index 4aa6f53..f72fb05 100755
--- a/init-scripts/funcd
+++ b/init-scripts/funcd
@@ -9,8 +9,6 @@
# Provides: funcd
# Required-Start: network
-# Default-Start: 3 4 5
-# Default-Stop: 0 1 2 6
# Short-Description: Fedora Unified Network Control
# Description: Crazy simple, secure remote management.
### END INIT INFO
--
1.7.4.4
applied, thx

-sv
seth vidal
2011-04-27 15:34:42 UTC
Permalink
Post by Greg Swift
Post by Jan-Frode Myklebust
Post by Norvell, Preston
- I have found no need to modify anything in /etc/certmaster on either the overlords or minions
I use the EPEL packages, and they have certmaster=certmaster in
/etc/certmaster/minion.conf, and then the minions fails to start.
If you have certmaster resolvable in the local search domain then
there is nothing to edit. if you don't then, yes, you need to set the
certmaster setting to a valid dns/ip entry
Post by Jan-Frode Myklebust
Post by Norvell, Preston
- Depending on where you get your RPM (I get mine currently from
RPMForge), it may want to install/run certmaster by default. It should
be disabled.
Oh.. I hadn´t noticed. Thanks!
IMHO that´s a bug in the packaging... skvidal ?
The init script has to have the appropriate settings in it, such as
the default start and stop levels that are present. Otherwise they
wouldn't be compliant, and if you run a reset or on on the service it
wouldn't be put in the appropriate run levels. That being said...
maybe we should add and then disable certmaster on installation right
now. However, there was a discussion the other day about trying to
make func and certmaster play nicer on the minions. I'll be posting
it up as soon as I get some time on the home PC where its stored for
me to use as a reference.
It's definitely a thought. It would be nice to make it simpler in the
pkging, too.

-sv
Jan-Frode Myklebust
2011-04-27 14:04:59 UTC
Permalink
Post by Greg Swift
Post by Jan-Frode Myklebust
IMHO that´s a bug in the packaging... skvidal ?
The init script has to have the appropriate settings in it, such as
the default start and stop levels that are present. Otherwise they
wouldn't be compliant, and if you run a reset or on on the service it
wouldn't be put in the appropriate run levels.
Hmm.. you have the correct setting for "# chkconfig: - 98 99", but
the "INIT INFO" section takes precedence and has:

# Default-Start: 3 4 5
# Default-Stop: 0 1 2 6

Are you saying this are required to be present in INIT INFO to be lsb
compliant ? I see many initscripts on my systems without these defined..
F.ex. /etc/init.d/httpd on RHEL6:

# chkconfig: - 85 15
<snip>
### BEGIN INIT INFO
# Provides: httpd
# Required-Start: $local_fs $remote_fs $network $named
# Required-Stop: $local_fs $remote_fs $network
# Should-Start: distcache
# Short-Description: start and stop Apache HTTP Server
# Description: The Apache HTTP Server is an extensible server
# implementing the current HTTP standards.
### END INIT INFO



-jf
seth vidal
2011-04-27 15:33:19 UTC
Permalink
Post by Jan-Frode Myklebust
Post by Norvell, Preston
- I have found no need to modify anything in /etc/certmaster on either the overlords or minions
I use the EPEL packages, and they have certmaster=certmaster in
/etc/certmaster/minion.conf, and then the minions fails to start.
Post by Norvell, Preston
- Depending on where you get your RPM (I get mine currently from
RPMForge), it may want to install/run certmaster by default. It should
be disabled.
Oh.. I hadn´t noticed. Thanks!
IMHO that´s a bug in the packaging... skvidal ?
Post by Norvell, Preston
- There is a nascent puppet module to manage minion and overlord configurations here: http://forge.puppetlabs.com/rodjek/func. I used it as the beginning of my work and hope to push the changes back up stream to the author. It might be good to let folks know it exists.
I wrote my own yesterday ->
http://blag.tanso.net/2011/04/13-puppet-as-certmaster-for-func/
Post by Norvell, Preston
- I found that I needed to create an acl file in /etc/minion-acl.d with the hostname-certhash of the overlord/puppetmaster on each minion, because rather than defaulting to "*" it defaults to "foo" (literally) for the acl.
I didn´t need that. My minion-acl.d/ is empty, and I can access the minions
from the overlord. Hmm.. guess I need to understand the access control
model of func better..
the acls are for minion-to-minion. so you can say 'this minion can run
these modules/methods on this other minion'

-sv
Norvell, Preston
2011-04-27 16:37:52 UTC
Permalink
Post by seth vidal
Post by Jan-Frode Myklebust
Post by Norvell, Preston
- I have found no need to modify anything in /etc/certmaster on either the overlords or minions
I use the EPEL packages, and they have certmaster=certmaster in
/etc/certmaster/minion.conf, and then the minions fails to start.
Interesting. We'll be switching to the epel-testing modules here shortly, so I'll keep this in mind. With 0.27 from rf, though I've not touched anything in the /etc/certmaster dir and we don't have a 'certmaster' defined in any of our dns zones.
Post by seth vidal
Post by Jan-Frode Myklebust
Post by Norvell, Preston
- Depending on where you get your RPM (I get mine currently from
RPMForge), it may want to install/run certmaster by default. It should
be disabled.
Oh.. I hadn´t noticed. Thanks!
IMHO that´s a bug in the packaging... skvidal ?
Post by Norvell, Preston
- There is a nascent puppet module to manage minion and overlord configurations here: http://forge.puppetlabs.com/rodjek/func. I used it as the beginning of my work and hope to push the changes back up stream to the author. It might be good to let folks know it exists.
I wrote my own yesterday ->
http://blag.tanso.net/2011/04/13-puppet-as-certmaster-for-func/
Post by Norvell, Preston
- I found that I needed to create an acl file in /etc/minion-acl.d with the hostname-certhash of the overlord/puppetmaster on each minion, because rather than defaulting to "*" it defaults to "foo" (literally) for the acl.
I didn´t need that. My minion-acl.d/ is empty, and I can access the minions
from the overlord. Hmm.. guess I need to understand the access control
model of func better..
the acls are for minion-to-minion. so you can say 'this minion can run
these modules/methods on this other minion'
If that's true then perhaps there is/was an oddity with 0.27. I've setup three environments at work so far, and none of them have worked without an acl file in there; the overlord/puppetmasters are all rejected because the default "*" has perms only to the "foo" (again, literally...) function. Since we'll be switching to epel-testing and their 0.28 rpm shortly, we'll see if that demonstrably changes.
Post by seth vidal
-sv
--
Preston M Norvell <preston.norvell-sdKh1AwYtnTe9wHmmfpqLFaTQe2KTcn/@public.gmane.org>
Systems/Network Engineer
Serials Solutions <http://www.serialssolutions.com>
Phone: (866) SERIALS (737-4257) ext 1094
Loading...