Nested parametrized defines
52 views
Skip to first unread message
Patricia Jung
Nov 14, 2013, 6:32:50 AM11/14/13
to puppet...@googlegroups.com
Dear puppet wizards,
http://docs.puppetlabs.com/puppet/3/reference/lang_defined_types.html does not suggest to me that nested parametrized defines would be forbidden, hence I expected the following code to work:
add_to_ssh_authorized_keys.pp:
--------
define a::ssh_keys::add_to_ssh_authorized_keys($homebasedir="/home", $targetuser="root", $keyowner, $keyownername, $state="present" ) {
$sshdir = "$homebasedir/$targetuser/.ssh"
$authfile = "$sshdir/authorized_keys"
ssh_authorized_key {"$keyo...@censhare.de($keyownername 4096) as $targetuser":
key => template("ssh_public_keys/$keyowner"),
ensure => "$state",
name => "$keyownername",
type => 'ssh-rsa',
target => $authfile,
user => $targetuser,
} }
---------
it_services_admins.pp:
---------
define a::ssh_keys::it_services_admins($user='root'){
censhare::ssh_keys::add_to_ssh_authorized_keys{ "$user-blah":
targetuser => "$user",
keyowner => 'blah',
keyownername => 'blah',
}
}
---------
class file:
------------
class ….{
censhare::ssh_keys::it_services_admins{ 'b':
user => 'b'
}
censhare::ssh_keys::it_services_admins { 'root':
user => 'root'
}
}
-----
I do however get: "Invalid resource type a::ssh_keys::add_to_ssh_authorized_keys at /etc/puppet/modules/censhare/manifests/ssh_keys/:7"
Any hints? If parametrized defines in fact can't be nested I would appreciate it if the documentation clearly said so, would safe a lot of headache. If it should work I can't figure out the correct syntax and would appreciate an example.
Here's what I actually try to do, perhaps some of you comes up with a smarter suggestion:
- I'd like to define ssh public keys in one place and avoid duplicates.
- These ssh key resources should be usable wrapped in 'groups' (e.g. "all keys used to access the b user's account", ...) and on their own (for use with the Unix account of this one specific user)
- There's a one-to-many relation, i.e. the key x might be used on one node in her own Unix account x, together with all other members of the 'group' "all keys used to access the b user's account" in Unix accounts c and d, and together with "all keys used to access the b user's account" in Unix account b.
- Some of the key owners will have a Unix account on the appropriate node, but most won't, hence it's not possible to connect user and ssh_authorized_key resources.
Thank you for helping me out!
Patricia
--
Patricia Jung
Senior Software and Support Engineer
censhare AG
Paul-Gerhardt-Allee 50, 81245 Muenchen, Germany
Fon +49 89 568236-311
Fax +49 89 568236-501
http://www.censhare.com
http://blog.censhare.com
Vorstand: Walter Bauer, Robert Motzke, Dieter Reichert
Aufsichtsratsvorsitzender: Matthias Zimmermann
Handelsregister: Amtsgericht Muenchen HRB 140617
USt-ID: DE219222021
http://docs.puppetlabs.com/puppet/3/reference/lang_defined_types.html does not suggest to me that nested parametrized defines would be forbidden, hence I expected the following code to work:
add_to_ssh_authorized_keys.pp:
--------
define a::ssh_keys::add_to_ssh_authorized_keys($homebasedir="/home", $targetuser="root", $keyowner, $keyownername, $state="present" ) {
$sshdir = "$homebasedir/$targetuser/.ssh"
$authfile = "$sshdir/authorized_keys"
ssh_authorized_key {"$keyo...@censhare.de($keyownername 4096) as $targetuser":
key => template("ssh_public_keys/$keyowner"),
ensure => "$state",
name => "$keyownername",
type => 'ssh-rsa',
target => $authfile,
user => $targetuser,
} }
---------
it_services_admins.pp:
---------
define a::ssh_keys::it_services_admins($user='root'){
censhare::ssh_keys::add_to_ssh_authorized_keys{ "$user-blah":
targetuser => "$user",
keyowner => 'blah',
keyownername => 'blah',
}
}
---------
class file:
------------
class ….{
censhare::ssh_keys::it_services_admins{ 'b':
user => 'b'
}
censhare::ssh_keys::it_services_admins { 'root':
user => 'root'
}
}
-----
I do however get: "Invalid resource type a::ssh_keys::add_to_ssh_authorized_keys at /etc/puppet/modules/censhare/manifests/ssh_keys/:7"
Any hints? If parametrized defines in fact can't be nested I would appreciate it if the documentation clearly said so, would safe a lot of headache. If it should work I can't figure out the correct syntax and would appreciate an example.
Here's what I actually try to do, perhaps some of you comes up with a smarter suggestion:
- I'd like to define ssh public keys in one place and avoid duplicates.
- These ssh key resources should be usable wrapped in 'groups' (e.g. "all keys used to access the b user's account", ...) and on their own (for use with the Unix account of this one specific user)
- There's a one-to-many relation, i.e. the key x might be used on one node in her own Unix account x, together with all other members of the 'group' "all keys used to access the b user's account" in Unix accounts c and d, and together with "all keys used to access the b user's account" in Unix account b.
- Some of the key owners will have a Unix account on the appropriate node, but most won't, hence it's not possible to connect user and ssh_authorized_key resources.
Thank you for helping me out!
Patricia
--
Patricia Jung
Senior Software and Support Engineer
censhare AG
Paul-Gerhardt-Allee 50, 81245 Muenchen, Germany
Fon +49 89 568236-311
Fax +49 89 568236-501
http://www.censhare.com
http://blog.censhare.com
Vorstand: Walter Bauer, Robert Motzke, Dieter Reichert
Aufsichtsratsvorsitzender: Matthias Zimmermann
Handelsregister: Amtsgericht Muenchen HRB 140617
USt-ID: DE219222021
Henrik Lindberg
Nov 14, 2013, 6:40:10 PM11/14/13
to puppet...@googlegroups.com
> censhare::ssh_keys::it_services_admins{ 'b':
> user => 'b'
> }
> censhare::ssh_keys::it_services_admins { 'root':
> user => 'root'
> }
> }
>
Looks like you are missing a:: before censhare::ssh_keys...
> user => 'b'
> }
> censhare::ssh_keys::it_services_admins { 'root':
> user => 'root'
> }
> }
>
- henrik
jcbollinger
Nov 15, 2013, 9:47:10 AM11/15/13
to puppet...@googlegroups.com
On Thursday, November 14, 2013 5:32:50 AM UTC-6, Patricia Jung wrote:
Dear puppet wizards,
http://docs.puppetlabs.com/puppet/3/reference/lang_defined_types.html does not suggest to me that nested parametrized defines would be forbidden
You are correct. Defined type bodies may declare resources of any type, including defined types.
, hence I expected the following code to work:
add_to_ssh_authorized_keys.pp:
--------
define a::ssh_keys::add_to_ssh_authorized_keys($homebasedir="/home", $targetuser="root", $keyowner, $keyownername, $state="present" ) {
To be clear, that should appear in <module path>/a/manifests/ssh_keys/add_to_ssh_authorized_keys.pp in order for the autoloader to be able to find it.
it_services_admins.pp:
---------
define a::ssh_keys::it_services_admins($user='root'){
Likewise, that should appear in <module path>/a/manifests/ssh_keys/it_services_admins.pp
censhare::ssh_keys::add_to_ssh_authorized_keys{ "$user-blah":
targetuser => "$user",
keyowner => 'blah',
keyownername => 'blah',
}
That resource type is not declared among the manifest fragments you presented, although there is a similarly-named one in your module "a".
}
---------
class file:
I suppose you mean that this is the file of the module main class, <module path>/<module_name>/manifests/init.pp
------------
class ….{
censhare::ssh_keys::it_services_admins{ 'b':
user => 'b'
}
censhare::ssh_keys::it_services_admins { 'root':
user => 'root'
}
}
If you change "censhare" to "a" in those declarations then they will match up with the defined types you presented earlier.
-----
I do however get: "Invalid resource type a::ssh_keys::add_to_ssh_authorized_keys at /etc/puppet/modules/censhare/manifests/ssh_keys/:7"
My first guess would be that the file containing the definition is not where the autoloader expects it to be.
Any hints? If parametrized defines in fact can't be nested I would appreciate it if the documentation clearly said so, would safe a lot of headache. If it should work I can't figure out the correct syntax and would appreciate an example.
Have you attempted to obfuscate the manifest fragments you presented? Because they don't seem to line up with each other with respect to names. If those are literal excerpts from your manifests then the name mismatches are at least part of your problem.
If you have attempted to obfuscate, then please stop. Do remove sensitive information (keys, passwords) and reduce the example to a simple form that exhibits the issue, but we're going to have trouble helping you if you introduce new errors that are not present in the original manifests.
Also, it will be helpful to present file paths relative to the module path, as the locations of your manifest files are significant to Puppet.
John
Patricia Jung
Nov 18, 2013, 4:40:46 AM11/18/13
to puppet...@googlegroups.com
Dear John and all,
Am 15.11.2013 um 15:47 schrieb jcbollinger <John.Bo...@stJude.org>:
>
> On Thursday, November 14, 2013 5:32:50 AM UTC-6, Patricia Jung wrote:
>
> http://docs.puppetlabs.com/puppet/3/reference/lang_defined_types.html does not suggest to me that nested parametrized defines would be forbidden
>
>
> You are correct. Defined type bodies may declare resources of any type, including defined types.
>
>
> , hence I expected the following code to work:
>
> add_to_ssh_authorized_keys.pp:
> --------
> define a::ssh_keys::add_to_ssh_authorized_keys($homebasedir="/home", $targetuser="root", $keyowner, $keyownername, $state="present" ) {
>
>
> To be clear, that should appear in <module path>/a/manifests/ssh_keys/add_to_ssh_authorized_keys.pp in order for the autoloader to be able to find it.
Yes, this is true: it's located in /etc/puppet/modules/a/manifests/ssh_keys/add_to_ssh_authorized_keys.pp
>
>
>
>
> censhare::ssh_keys::add_to_ssh_authorized_keys{ "$user-blah":
Sorry, my fault, the line above reads
a::ssh_keys::add_to_ssh_authorized_keys{ "$user-blah":
/etc/puppet/modules/c/manifests/nodes/saas.pp. Perhaps this is the problem?
> ------------
class c::nodes::saas{
a::ssh_keys::it_services_admins{ 'b':
user => 'b'
}
a::ssh_keys::it_services_admins{ 'root':
user => 'root'
}
}
The error message reads:
Invalid resource type a::ssh_keys::add_to_ssh_authorized_keys at /etc/puppet/modules/a/manifests/ssh_keys/:7"
Thanks for helping anyway!
Am 15.11.2013 um 15:47 schrieb jcbollinger <John.Bo...@stJude.org>:
>
> On Thursday, November 14, 2013 5:32:50 AM UTC-6, Patricia Jung wrote:
>
> http://docs.puppetlabs.com/puppet/3/reference/lang_defined_types.html does not suggest to me that nested parametrized defines would be forbidden
>
>
> You are correct. Defined type bodies may declare resources of any type, including defined types.
>
>
> , hence I expected the following code to work:
>
> add_to_ssh_authorized_keys.pp:
> --------
> define a::ssh_keys::add_to_ssh_authorized_keys($homebasedir="/home", $targetuser="root", $keyowner, $keyownername, $state="present" ) {
>
>
> To be clear, that should appear in <module path>/a/manifests/ssh_keys/add_to_ssh_authorized_keys.pp in order for the autoloader to be able to find it.
>
>
>
> it_services_admins.pp:
> ---------
> define a::ssh_keys::it_services_admins($user='root'){
>
>
> Likewise, that should appear in <module path>/a/manifests/ssh_keys/it_services_admins.pp
This file is located in etc/puppet/modules/a/manifests/ssh_keys/it_services_admins.pp
>
>
> it_services_admins.pp:
> ---------
> define a::ssh_keys::it_services_admins($user='root'){
>
>
> Likewise, that should appear in <module path>/a/manifests/ssh_keys/it_services_admins.pp
>
>
>
>
> censhare::ssh_keys::add_to_ssh_authorized_keys{ "$user-blah":
Sorry, my fault, the line above reads
a::ssh_keys::add_to_ssh_authorized_keys{ "$user-blah":
>
> targetuser => "$user",
> keyowner => 'blah',
> keyownername => 'blah',
> }
> }
>
> targetuser => "$user",
> keyowner => 'blah',
> keyownername => 'blah',
> }
> }
>
> ---------
>
> class file:
>
>
> I suppose you mean that this is the file of the module main class, <module path>/<module_name>/manifests/init.pp
>
>
Not necessarily init.pp, and it's outside the a module, e.g.:
>
> class file:
>
>
> I suppose you mean that this is the file of the module main class, <module path>/<module_name>/manifests/init.pp
>
>
/etc/puppet/modules/c/manifests/nodes/saas.pp. Perhaps this is the problem?
> ------------
class c::nodes::saas{
a::ssh_keys::it_services_admins{ 'b':
user => 'b'
}
a::ssh_keys::it_services_admins{ 'root':
user => 'root'
}
}
The error message reads:
Invalid resource type a::ssh_keys::add_to_ssh_authorized_keys at /etc/puppet/modules/a/manifests/ssh_keys/:7"
>
> Have you attempted to obfuscate the manifest fragments you presented?
Sorry -- my intention was to strip the problem down mentally, and I admit to have failed…
> Have you attempted to obfuscate the manifest fragments you presented?
Thanks for helping anyway!
jcbollinger
Nov 18, 2013, 11:26:36 AM11/18/13
to puppet...@googlegroups.com
On Monday, November 18, 2013 3:40:46 AM UTC-6, Patricia Jung wrote:
Dear John and all,
Ah, ok. I understand now.
No, it should not be a problem for instances of your defined type to be declared by classes from other modules or even no module at all. Besides, the declaration in c::nodes::saas is not the locus of the problem.
> ------------
class c::nodes::saas{
a::ssh_keys::it_services_admins{ 'b':
user => 'b'
}
a::ssh_keys::it_services_admins{ 'root':
user => 'root'
}
}
The error message reads:
Invalid resource type a::ssh_keys::add_to_ssh_authorized_keys at /etc/puppet/modules/a/manifests/ssh_keys/:7"
"Invalid resource type" for a defined type, supposing that it's not altogether a red herring, means that Puppet does not recognize the type as a native one (which it isn't), and cannot find a definition for that name. There are a few alternatives for why it might not find the definition, among them
- The definition does not appear in the file the autoloader expects to find it in. You report, however, that it does appear in the correct file.
- The definition is not declared with the expected name. The definition should use the correct fully-qualified name, as indeed you show it to do. If there were some mixup, however -- say the file defined censhare::... when it should have declared a::... -- then you would probably get an error such as you report.
- The Puppet master cannot read the file, or perhaps cannot read some directory in the path to it. Unlike the Puppet agent, the master can and normally does run as an unprivileged user, often named "puppet". If file permissions, ownership, SELinux context, ACLs, or some other access control mechanism prevents the Puppet master process from reading the file, then you might get an error such as you describe.
- As a special case, it is conceivable (though unlikely) that UTF-8 encoded file names containing characters above U+00FF might cause trouble if they appear in the same directory as the definition's file.
- The contents of the file containing the definition are not parsed successfully. I would actually expect a more localized error in this case, but if for some reason none was emitted then the error you report would be a likely fallback outcome. You can test this by running "puppet parser validate <manifest file>" on the file containing the definition.
If the problem is not one of the above then I'm stumped.
John
Patricia Jung
Dec 11, 2013, 5:28:15 AM12/11/13
to puppet...@googlegroups.com
Dear John and all,
Am 18.11.2013 um 17:26 schrieb jcbollinger <John.Bo...@stJude.org>:
>
> Invalid resource type a::ssh_keys::add_to_ssh_authorized_keys at /etc/puppet/modules/a/manifests/ssh_keys/:7"
>
>
> "Invalid resource type" for a defined type, supposing that it's not altogether a red herring, means that Puppet does not recognize the type as a native one (which it isn't), and cannot find a definition for that name. There are a few alternatives for why it might not find the definition, among them
> • The definition does not appear in the file the autoloader expects to find it in. You report, however, that it does appear in the correct file.
I rewrote the entire stuff, and the problem indeed turned out to be an almost invisible mismatch between define name and file name.
I wish I had the time to dive into the puppet code and change error messages to something more specific and useful…
Thanks a lot, John!
Am 18.11.2013 um 17:26 schrieb jcbollinger <John.Bo...@stJude.org>:
>
> Invalid resource type a::ssh_keys::add_to_ssh_authorized_keys at /etc/puppet/modules/a/manifests/ssh_keys/:7"
>
>
> "Invalid resource type" for a defined type, supposing that it's not altogether a red herring, means that Puppet does not recognize the type as a native one (which it isn't), and cannot find a definition for that name. There are a few alternatives for why it might not find the definition, among them
> • The definition does not appear in the file the autoloader expects to find it in. You report, however, that it does appear in the correct file.
I wish I had the time to dive into the puppet code and change error messages to something more specific and useful…
Thanks a lot, John!
Reply all
Reply to author
Forward
0 new messages