I have been using hiera to store information in
./modulename/data
using a hiera.yaml file under ./modulename/hiera.yaml
one looks like this:
#
---
version: 5
defaults:
datadir: data
data_hash: yaml_data
hierarchy:
- name: "source file"
path: "source.yaml"
I would like to use eyaml to encrypt the file, but doing something like this gives me errors in the hiera.yaml...
#
---
version: 5
defaults:
datadir: data
data_hash: eyaml_data
hierarchy:
- name: "authorized_keys"
path: "auth_keys.eyaml"
eyaml:
pkcs7_private_key: data/keys/private_key.pkcs7.pem
pkcs7_public_key: data/keys/public_key.pkcs7.pem
I figure there is some setup to the module specific hiera.yaml that I can use to decrypte the file or specific lines in the file, but I'm unable to find a lot on eyaml beyond how to set it up for use in /etc/puppet/puppet/keys
I've created the pkcs7 keys in ./modulename/data/keys/
the pkcs7_public and private keys do not have to be the ones under data/keys in the module directory, they could be the global ones in /etc/puppet/puppet/keys
I believe I found my answer, it was in some of the docs for hiera-eyaml:
https://github.com/voxpupuli/hiera-eyaml
Hopefully if anyone else has this question my findings can help :)
you can use the hiera.yaml config described in the doc under ./ModuleName/hiera.yaml
Here is my test example, I modified an existing test module to test this working. I think it requires:
PE 2017.1
latest hiera and puppet that comes with v 2017.1
gem install hiera-eyaml & puppetserver gem install hiera-eyaml (I had to run this a few times for the modules to show up correctly as well as some puppet agent -t runs)
log out and log back in for env paths
Here is my module:
$ tree master_cron/
master_cron/
├── data
│ └── secrets.eyaml
├── hiera.yaml
└── manifests
└── init.pp
$ ll /etc/puppetlabs/puppet/keys/
total 8.0K
drwxr-xr-x. 2 pe-puppet pe-puppet 63 Mar 18 16:51 .
drwxr-xr-x. 4 root root 207 Mar 18 17:03 ..
-rw-------. 1 pe-puppet pe-puppet 1.7K Mar 18 16:51 private_key.pkcs7.pem
-rw-r--r--. 1 pe-puppet pe-puppet 1.1K Mar 18 16:51 public_key.pkcs7.pem
$ cat hiera.yaml
---
version: 5
defaults:
datadir: data
hierarchy:
- name: "secret data"
lookup_key: eyaml_lookup_key
path: "secrets.eyaml"
options:
pkcs7_private_key: /etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
pkcs7_public_key: /etc/puppetlabs/puppet/keys/public_key.pkcs7.pem
...
You could specific a key for the module itself, and put in in data/keys...
$ cat data/secrets.eyaml
---
master_cron::jobs:
"chown_pe-puppet":
environment: "PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/bin"
minute: '*/5'
user: root
command: ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEACTtCuqFaS+5YS0DN/lLL6oV78W0lB55eQtZYIGug2SNFhLSA2h1FK/NmcsRE/YmVRJXqCeWTgFIxHch2mcWEYSLbdsWmq9WO45giUNt/MQp9hEMHmO27L63Vxl5GsvECP8yfWW6uinroOG6O95swag+W68nTrrLpV26KqP1mq+aoNw8ognNsm6IqG/FBMCgpWtGMmipBeSMXaXoUxS6wFANjMm0Ak0ykaGmwIYK1dHTosnNw8VX7d8u1oAzpgeWEkET0g8U+Q4z0W4ZNeWUIatJY1Lq30r3LOUswg+xIGmZAEro+KfQlOI1ENDx+/4ZG3IokMB9GJ1hzWlGWgbCh7zCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQcMG9nWTZaCaqLuO5+m6fBIBg7G+pRWPy77yvbpvKXUb2sjkxXlDkLauSXE7KX5YOhFrBtb8pZ7MN9Rz0/qHmefToZbkhWPRMtWJ+QyVET+v2YaIh+7orEdqgo585Z+fjefIGFChkDstMj3d6Hl4s/DCW]
"chmod_pe-puppet":
environment: "PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/bin"
minute: '*/5'
user: root
command: ENC[PKCS7,MIIBuQYJKoZIhvcNAQcDoIIBqjCCAaYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAKK4R/j3pD+s4cyzcH8H4PSK7j/uCaaSvOBqG8b1MsLQClKU49DxJQ+rZLYkUJEaEq30gyCRy9uZMwFri5EJGL455flXABiM/7A9NTUNJ0DoXdiWvxgWR0py/WmiLVUnql3wVZUfojqak1MOZeRYLeCnHyVLgdz+ouyPwg0nsAuXJewk5aJa5CSj7xkS4TQKvruRaqfFGsCMBEZM7lPDae9+YZZBgfPM9rqZNO5hoUu9Q3vizzpdRcD5+5U5mqCryEzmG51fvzVO0nK45aW6SiJm58nlumxhXJoWmv12OWT+3t67QJvOV3eciLM4F722UnMrJ7SIA3ttdW2UFHuP+eTB8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAfCd5FJnsOoJqU71XSwos2gFDSY3b+apqgrcOZ3lTT8zRKd3Z5JdgIptbYSluzw42scZslHHMR3kcaYIH/D9EJQmG54VKwwFVQODUfFV8N7kyky9LvFA+xpJUWqP6Lijx3bw==]
This is just a test module I made that creates some cron jobs, I encrypted the commands as a test, not really a practical use for eyaml though ;)
here's what this looks like decrypted:
---
master_cron::jobs:
"chown_pe-puppet":
environment: "PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/bin"
minute: '*/5'
user: root
command: chown -R pe-puppet:pe-puppet /etc/puppetlabs/code/environments/production/modules
"chmod_pe-puppet":
environment: "PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/bin"
minute: '*/5'
user: root
command: chmod -R 755 /etc/puppetlabs/code/environments/production/modules
And I use the hiera data in the module as you could without it encrypted:
class master_cron ($jobs) {
create_resources(cron, $jobs)
}
Related
I have Artifactory 6.20.1 running in a Docker container. I'm trying to install the artifactCleanup plugin (https://github.com/jfrog/artifactory-user-plugins/tree/master/cleanup/artifactCleanup)
I have put the artifactCleanup.groovy file in the corresponding folder:
$ ls -all /opt/jfrog/artifactory/var/etc/artifactory/plugins/
total 36
drwxr-xr-x 2 artifact artifact 4096 Feb 24 10:28 .
drwxr-xr-x 3 artifact artifact 4096 Feb 23 15:24 ..
-rwxr-xr-x 1 artifact artifact 5829 Feb 23 15:25 README.md
-rwxr-xr-x 1 artifact artifact 14043 Feb 23 15:26 artifactCleanup.groovy
-rwxr-xr-x 1 artifact artifact 325 Feb 24 10:28 artifactCleanup.json
However if I'm trying to see my loaded plugins I get an empty response
curl -X GET -u "admin:password" http://localhost:8081/artifactory/api/plugins
{}
The Server has been restarted before running that request. All commands have been running inside the Docker container. I have been looking at the documentation (https://www.jfrog.com/confluence/display/JFROG/User+Plugins) on how to install plugins. My User account which was used for the rest calls is an admin account.
Now I am out of clues, why that plugin is not loading?
You can use the below reload plugins using the Reload Plugins REST API endpoint.
https://www.jfrog.com/confluence/display/JFROG/Artifactory+REST+API#ArtifactoryRESTAPI-ReloadPlugins
Please comment here if you are running into any issues.
Turns out I created a wrong directory. Correct directory is
/var/opt/jfrog/artifactory/etc/plugins
which already existed.
When I create a dir with ansible, her rights is:
dr------wT"
Code:
- name: "Create Dir in opt"
become: yes
file:
path: "/opt/test"
state: directory
mode: 770
owner: test
group: test
How create dir with simple rights?
drwxrwx---
Thanks again!
Ok I found:
Put 0 before 770
mode: 0770
Thanks all!
The actual folder had 777 permissions as seen below:
drwxrwxrwx 3 destuser destuser 29 Jan 14 08:40 /tmp/mohtas/folder
I took the backup using the below playbook and wanted to preserve the permissions i.e 777 for the backup folder
---
- name: "Play 3"
hosts: all
user: destuser
gather_facts: false
tasks:
- set_fact:
tdate: "bkp.{{ '%d%b%Y_%H%M%S' | strftime }}"
- name: Take Backup when dest_path and source path are the same.
ignore_errors: yes
copy:
src: "/tmp/mohtas/folder"
dest: "/tmp/mohtas/folder.{{ tdate }}"
mode: preserve
However, the backup folder was created with a different permissions as below:
drwxr-xr-x 3 destuser destuser 17 Jan 15 09:07 /tmp/mohtas/folder.bkp.15Jan2021_090700
The strange thing is the backup permissions are preserved if i mention src: /tmp/mohtas/file.txt as a file and not a directory.
I understand that I can use stat module but was looking for a better/quicker solution as i'm dealing with a loop of files/folders.
My ansible version is
[destuser#desthost /]$ ansible --version
ansible 2.4.2.0
config file = /home/destuser/.ansible.cfg
configured module search path = [u'/home/destuser/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /bin/ansible
python version = 2.7.5
I'm trying to apply a salt state to my non prod environment at /srv/salt/non-prod
I'm getting this result:
[root#salt non-prod]# salt '*' state.apply
salt.localdomain:
----------
ID: states
Function: no.None
Result: False
Comment: No Top file or external nodes data matches found.
Changes:
Summary for salt.localdomain
------------
Succeeded: 0
Failed: 1
I have this location defined in my master config
non-prod:
- /srv/non-prod
- /srv/salt/non-prod/services
- /srv/salt/non-prod/states
I have a top file located here:
[root#salt ~]# cat /srv/salt/non-prod/top.sls
base:
'*':
- apache
- python
- ssh
- users
These are the contents of the non-prod directory
[root#salt ~]# ls -lh /srv/salt/non-prod/
total 16K
drwxr-xr-x. 2 root root 4.0K Oct 3 21:02 apache
drwxr-xr-x. 2 root root 45 Oct 3 20:57 python
drwxr-xr-x. 2 salt salt 6 Oct 3 14:10 services
drwxr-xr-x. 2 root root 54 Oct 3 18:23 ssh
drwxr-xr-x. 2 salt salt 6 Oct 3 14:10 states
-rw-r--r--. 1 root root 80 Oct 3 15:29 state.template
-rw-r--r--. 1 root root 174 Oct 3 15:30 test.sls
-rw-r--r--. 1 root root 61 Oct 3 21:14 top.sls
drwxr-xr-x. 2 root root 22 Oct 3 21:03 users
drwxr-xr-x. 2 salt salt 99 Oct 3 18:28 webserver
it contains a few salt modules
How can I apply salt states to just the non-prod environment?
If you check the syntax using some yaml validation tools, then we can go to next step.
Read saltstack top documentation thoroughly, you will notice setting different environment, you first explicitly define alternate environment name on /etc/salt/master and also specify it under top.sls
i.e., you file_roots specify the non-prod environment
file_roots:
#non-prod environment
non-prod:
- /srv/non-prod
- /srv/salt/non-prod/services
- /srv/salt/non-prod/states
Thus your top.sls should use the environment name non-prod , not base
non-prod:
'*':
- apache
- python
- ssh
- users
Since saltstack always use "base" environment by default, you should apply the state explicitly.
salt '*' state.highstate saltenv=non-prod
I am trying to set up my first Git based WordPress theme development using roots as my starting theme. I was planning to develop a theme locally and push to my Dreamhost VPS every now and then. Read some info on the Dreamhost Wiki. I also followed David Winter's tutorial on setting up a WordPress core update option with Git.
I also set up another repo for my theme with the theme roots as a basis. Perhaps I should have made it a submodule too, but I am just learning by doing here.. I set up a bare repo on the server and locally I tried to make a pull request, but this is not working.
Locally
For my local theme I have this:
$ pwd
/opt/local/www/imagewize/wp-content/themes/img/.git
jaspersmbp:.git jasper$ cat config
and here the git config file for the theme:
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
ignorecase = true
[remote "origin"]
url = ssh://me#domain.com/~/domain.com/wp-content/themes/img
fetch = +refs/heads/*:refs/remotes/origin/*
WordPress submodule details are:
location:
$ pwd
/opt/local/www/imagewize
Git config file:
core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
ignorecase = true
[submodule "wordpress"]
url = git://github.com/WordPress/WordPress.git
Remote
On the remote DH VPS inside the theme I have this config:
core]
repositoryformatversion = 0
filemode = true
bare = true
When I am inside the theme locally and try to connect to Dreamhost VPS I get:
$ git pull origin master
fatal: Couldn't find remote ref master
me:img jasper$ fatal: The remote end hung up unexpectedly
Debugging
$ git branch -a
loads nada locally..
git push origin master
error: src refspec master does not match any.
error: failed to push some refs to 'ssh://me#domain.com/~/imagewize.com/wp-content/themes/img'
Update
Adjusted url in config and now I get:
git push origin master
fatal: '/imagewize.com/wp-content/themes/img' does not appear to be a git repository
fatal: The remote end hung up unexpectedly
Update II
I did some more online reading and after I found src refspec master does not match any when pushing commits in git I realized I did do adds, but no commit.
git commit -m 'Initial commit'
[master (root-commit) 7bbcd6a] Initial commit
137 files changed, 17766 insertions(+)
create mode 100644 .gitignore
.........
And then:
$ git push origin master
Counting objects: 150, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (144/144), done.
Writing objects: 100% (150/150), 259.70 KiB, done.
Total 150 (delta 26), reused 0 (delta 0)
To ssh://me#domain.com/~/domain.com/wp-content/themes/img/
* [new branch] master -> master
And we are up and running!
Only somehow my local files were not uploaded to the remote theme folder
$ ls -lha
total 16K
drwxrwxr-x 7 me server 147 Oct 7 20:21 .
drwxr-xr-x 6 me server 105 Oct 7 20:21 ..
-rw-rw-r-- 1 me server 23 Oct 7 20:21 HEAD
drwxrwxr-x 2 me server 10 Oct 7 20:21 branches
-rw-rw-r-- 1 me server 66 Oct 7 20:21 config
-rw-rw-r-- 1 me server 73 Oct 7 20:21 description
drwxrwxr-x 2 me server 4.0K Oct 7 20:21 hooks
drwxrwxr-x 2 me server 28 Oct 7 20:21 info
drwxrwxr-x 4 me server 40 Oct 7 20:21 objects
drwxrwxr-x 4 me server 41 Oct 7 20:21 refs
, but I should work that out soon enough..
Update III
Bare repositories do not have a working directory it seems explained here. They seem to say I should clone on production. So wherever I create the bare repository is not where I clone the final result.
Will just have to change the setup. Where I push to will just be the git repo for keeping track of changes like Github and wherever I want to have the end result I will clone the repo.