python Script with answer file not working
28 views
Skip to first unread message
Jochen Haeberle
May 16, 2018, 8:31:53 AM5/16/18
to puppet...@googlegroups.com
Hi,
I am trying to install seafile with Puppet. Puppet 5.5.1 on Debian 9.
seafile is installed with an interactive shellscript calling a python script. I prepared an answer file, which is interactively working fine, up until where the db password is asked for. The input there is handled differently, not echoed back to the prompt and the execution changes to interactively for the input.
The code part getting the user input looks like the following:
# prompt for user input
if password:
answer = getpass.getpass(desc).strip()
else:
answer = raw_input(desc).strip()
Is there a way to get this to work in Puppet? I tried with the following exec:
exec { 'run seafile installer w answers file':
command => "/opt/seafile/${instanz}/${seafile_folder}/setup-seafile-mysql.py /opt/seafile/${instanz}/${seafile_folder}5/${instanz}-answers.txt",
creates => "/opt/seafile/${instanz}/seafile-server-latest",
require => Archive[$seafile_archive],
provider => shell,
}
but I get:
Notice: /Stage[main]/Role::Share_server/Archive[seafile-server_6.2.5_x86-64.tar.gz]/ensure: download archive from puppet:///modules/profile/seafile/seafile-server_6.2.5_x86-64.tar.gz to /opt/seafile/installed/seafile-server_6.2.5_x86-64.tar.gz and extracted in /opt/seafile/test with cleanup
Notice: /Stage[main]/Role::Share_server/File[/opt/seafile/test/seafile-server-6.2.5/test-answers.txt]/ensure: defined content as '{md5}25f64045b6676488e407c84c6a18eb20'
Notice: /Stage[main]/Role::Share_server/Exec[run seafile installer w answers file]/returns: /bin/sh: 1: /opt/seafile/test/seafile-server-6.2.5/setup-seafile-mysql.py: Permission denied
Can it be done?
Thanks in advance
Jochen
程伟
May 16, 2018, 10:50:53 PM5/16/18
to Puppet Users
在 2018年5月16日星期三 UTC+8下午8:31:53,Jochen Haeberle写道:
I think it is a problem about command in exec resource. Why not try "/opt/seafile/${instanz}/${seafile_folder}/setup-seafile-mysql.py /opt/seafile/${instanz}/${seafile_folder}5/${instanz}-answers.txt" in your shell? Or try "python /opt/seafile/${instanz}/${seafile_folder}/setup-seafile-mysql.py /opt/seafile/${instanz}/${seafile_folder}5/${instanz}-answers.txt"? When you make it works in shell, then try it in puppet.
Red Cricket
May 16, 2018, 11:03:49 PM5/16/18
to puppet-users
Notice what your error message is ... /opt/seafile/test/seafile-server-6.2.5/setup-seafile-mysql.py: Permission denied
make sure that /opt/seafile/test/seafile-server-6.2.5/setup-seafile-mysql.py is executable
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/92b21e37-9ecc-49dd-8d61-4f522278d54e%40googlegroups.com.
Jochen Haeberle
May 17, 2018, 3:10:49 AM5/17/18
to puppet...@googlegroups.com
My Bad! While playing around, I produced a typo. The script that should be executed is a .sh, not .py :-(
Nevertheless… even on CLI the script does not run with the answer file alone. I have to enter the pw manually, then the automated run continues.
Regards
Jochen
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAHu%2B3OxWr3b5aeWeB6%2BNYShwtc3j_L5XNOGSyivi9CQsO48pMA%40mail.gmail.com.
Jochen Haeberle
May 17, 2018, 3:17:05 AM5/17/18
to puppet...@googlegroups.com
Thanks! There was an error in the resource. Should be setup-seafile-mysql.sh. (not .py)
But it does not work anyway :-/
even on cli, execution of the script with the answer file stops at the pw enter. After manually entering the pw, the automated execution continues.
Greetings
Jochen
Am 17.05.2018 um 05:03 schrieb Red Cricket <red.cric...@gmail.com>:
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAHu%2B3OxWr3b5aeWeB6%2BNYShwtc3j_L5XNOGSyivi9CQsO48pMA%40mail.gmail.com.
jcbollinger
May 17, 2018, 9:23:31 AM5/17/18
to Puppet Users
On Thursday, May 17, 2018 at 2:17:05 AM UTC-5, Jochen Haeberle wrote:
Thanks! There was an error in the resource. Should be setup-seafile-mysql.sh. (not .py)But it does not work anyway :-/even on cli, execution of the script with the answer file stops at the pw enter. After manually entering the pw, the automated execution continues.
It sounds very much like the script is reading the PW directly from the terminal, which is not so uncommon for reading passwords in an interactive session. But it does not play well with non-interactive use.
If it is available, by far the easiest and most robust way to install almost any software -- puppet or no puppet -- is via an installation package for your system's particular package management system. I.e. an RPM on RedHat-family and some other Linuxes, a DEB on Debian-family Linuxes, etc.. Ideally, the package provider puts it in a package repository, but there are ways to handle it even if they don't. It looks like there may even be official Debian packages for Seafile (I googled "seafile deb"), so I would definitely look in that direction.
If there is indeed a suitable package or packages, then probably the usual package / config [/ service] model for a corresponding Puppet module will work just fine. Any way around, it doesn't sound like you'll be able to use the installation script without modification.
John
Jochen Haeberle
May 17, 2018, 10:07:08 AM5/17/18
to puppet...@googlegroups.com
Hi John,
Am 17.05.2018 um 15:23 schrieb jcbollinger <John.Bo...@stJude.org>:If it is available, by far the easiest and most robust way to install almost any software -- puppet or no puppet -- is via an installation package for your system's particular package management system. I.e. an RPM on RedHat-family and some other Linuxes, a DEB on Debian-family Linuxes, etc..
Definitely!
Ideally, the package provider puts it in a package repository, but there are ways to handle it even if they don't. It looks like there may even be official Debian packages for Seafile (I googled "seafile deb"), so I would definitely look in that direction.
I was not able to find any server packages. What you point to is a client, that’s a different story.
I guess this interactive installer script is a sort of cripple ware. There is a pro version, offering a scripted installation :-(
I managed to install seafile by now with a lot of puppet support in three phases:
1) Puppet: install files, prepare db, generate answer file, print reminder
2) Manual script run, entering db-password
3) Puppet: Setup Nginx, Let’s encrypt and move folders to network device
I do not really like this, but I do not see any other solution at the moment. I might easily run into concurrency issues
Thanks for your advice!
Greetings
Jochen
Karsten Heymann
May 17, 2018, 10:31:11 AM5/17/18
to puppet...@googlegroups.com
Am Do., 17. Mai 2018 um 16:07 Uhr schrieb Jochen Haeberle <
jochen....@gmail.com>:
with custom facts. I was using this mechanism to generate certificate
requests with puppet, than manually sign them with our internal CA, copy
the signed certificate back to the server and on the next run let puppet
continue the setup when it detects the certificate is present. In case
you're interested, here's my custom fact for that setup:
cat modules/profiles/facts.d/servercert
#!/bin/bash
set -e
set -u
set -o pipefail
CERTDIR=/etc/ssl/servercerts
CERTFILE="$CERTDIR/$(hostname -f).crt"
KEYFILE="/etc/ssl/private/$(hostname -f).pem"
CAFILE="/etc/ssl/certs/ca-certificates.crt"
if [ -a "$KEYFILE" ] ; then
if [ -a "$CERTFILE" ] ; then
CERTMOD="$(openssl x509 -noout -modulus -in "$CERTFILE" | grep
^Modulus= | cut -d= -f2)"
KEYMOD="$(openssl rsa -check -noout -modulus -in "$KEYFILE" | grep
^Modulus= | cut -d= -f2)"
if [ "x$CERTMOD" == "x$KEYMOD" ] ; then
if openssl verify -CAfile "$CAFILE" "$CERTFILE" > /dev/null ; then
echo "servercert=present"
echo "servercertfile=$CERTFILE"
echo "servercertkeyfile=$KEYFILE"
echo "servercertinfo=$(openssl x509 -noout -enddate -in
"$CERTFILE")"
else # Cert/CA mismatch
echo "servercert=absent"
echo "servercertinfo=Certificate from unknown CA"
fi
else
echo "servercert=absent"
echo "servercertinfo=Key/Certificate mismatch"
fi
else # CERTFILE missing
echo "servercert=absent"
echo "servcercertinfo=Certificate missing"
fi
else # KEYFILE missing
echo "servercert=absent"
echo "servercertinfo=Key missing"
fi
This gives me several variables I can check for in the puppet manifest and
depending on where in the installation process we are, for example enable
the apache ssl vhost. (It also makes sure that the certificate is actually
signed by our CA, but that's not really relvant for your problem).
Hope that helps a bit
Karsten
jochen....@gmail.com>:
> I managed to install seafile by now with a lot of puppet support in three
phases:
> 1) Puppet: install files, prepare db, generate answer file, print reminder
> 2) Manual script run, entering db-password
> 3) Puppet: Setup Nginx, Let’s encrypt and move folders to network device
> I do not really like this, but I do not see any other solution at the
moment. I might easily run into concurrency issues
What I did in a similar situation was to detect the different setup phases
phases:
> 1) Puppet: install files, prepare db, generate answer file, print reminder
> 2) Manual script run, entering db-password
> 3) Puppet: Setup Nginx, Let’s encrypt and move folders to network device
> I do not really like this, but I do not see any other solution at the
moment. I might easily run into concurrency issues
with custom facts. I was using this mechanism to generate certificate
requests with puppet, than manually sign them with our internal CA, copy
the signed certificate back to the server and on the next run let puppet
continue the setup when it detects the certificate is present. In case
you're interested, here's my custom fact for that setup:
cat modules/profiles/facts.d/servercert
#!/bin/bash
set -e
set -u
set -o pipefail
CERTDIR=/etc/ssl/servercerts
CERTFILE="$CERTDIR/$(hostname -f).crt"
KEYFILE="/etc/ssl/private/$(hostname -f).pem"
CAFILE="/etc/ssl/certs/ca-certificates.crt"
if [ -a "$KEYFILE" ] ; then
if [ -a "$CERTFILE" ] ; then
CERTMOD="$(openssl x509 -noout -modulus -in "$CERTFILE" | grep
^Modulus= | cut -d= -f2)"
KEYMOD="$(openssl rsa -check -noout -modulus -in "$KEYFILE" | grep
^Modulus= | cut -d= -f2)"
if [ "x$CERTMOD" == "x$KEYMOD" ] ; then
if openssl verify -CAfile "$CAFILE" "$CERTFILE" > /dev/null ; then
echo "servercert=present"
echo "servercertfile=$CERTFILE"
echo "servercertkeyfile=$KEYFILE"
echo "servercertinfo=$(openssl x509 -noout -enddate -in
"$CERTFILE")"
else # Cert/CA mismatch
echo "servercert=absent"
echo "servercertinfo=Certificate from unknown CA"
fi
else
echo "servercert=absent"
echo "servercertinfo=Key/Certificate mismatch"
fi
else # CERTFILE missing
echo "servercert=absent"
echo "servcercertinfo=Certificate missing"
fi
else # KEYFILE missing
echo "servercert=absent"
echo "servercertinfo=Key missing"
fi
This gives me several variables I can check for in the puppet manifest and
depending on where in the installation process we are, for example enable
the apache ssl vhost. (It also makes sure that the certificate is actually
signed by our CA, but that's not really relvant for your problem).
Hope that helps a bit
Karsten
Reply all
Reply to author
Forward
0 new messages