Access class results variables in puppet

[Derek Cole]

Hello,

I am not exactly sure how to phrase this, but consider the following:

        case $::role {
                'access': {
                        notify {"Applying access packages" :}
                        include access_packages

                        freebsd::rc_conf { 'test' :
                                value  => 'yes',
                                ensure => 'present'
                        }
                         openvpn::server {'winterthur' :
                        country      => 'CH',
                        province     => 'ZH',
                        city         => 'Winterthur',
                        organization => 'example.org',
                        email        => 'ro...@example.org',
                        server       => '10.200.200.0 255.255.255.0'}

                }
                'client': {
                        notify {"Applying client config" :}
                        openvpn::client { 'client1':
                                server => "winterthur"
                        }

                }
        }


What I am trying to do in 'client' case is reference the server that was defined in the 'access' case. Is this possible? The openvpn module here; https://github.com/luxflux/puppet-openvpn

contains some examples and such that lead me to believe there should be a reference, but it seems like that only is applicable if they have the same scope. How would I go about storing off the 'winterthur' openvpn::server for use by the clients later? Puppet's class variable access and scoping in general are a little confusing to me at this point. I tried the obvious assigning a $variable but that didn't work either. Also, looking at the openvpn code, it seems like openvpn::server is "define"d instead of using the class keyword. does this make a difference?

Thanks

[Matthew Barr]

In this case, you’ve got 2 issues.

1, most of that data would, ideally, be in Hiera. But, with a defined type, you can’t use the parameterized classes lookup.

2. That case statement means that the catalog for the system with “client" doesn’t even know anything about the “access" resources.

I’d suggest in this case: (but I’m not loving the code design, to be honest. Look under the example for more.



$vpn_server = ‘winterthur'

case $::role {
'access': {
<snip>
openvpn::server {“$vpn_server" :

country => 'CH',
province => 'ZH',
city => 'Winterthur',
organization => 'example.org',
email => 'ro...@example.org',
server => '10.200.200.0 255.255.255.0'}

}
'client': {
notify {"Applying client config" :}
openvpn::client { 'client1':

server => “$vpn_server"
}

}
}

This screams for a better separation, to me. Unless you only have 1 set of servers & clients…
— Maybe use a class, with the parameters pulling in the details from hiera, and using the variable parameters in the code.
— they would include city,province, server_ip, email, country.





Matthew Barr
mb...@mbarr.net
c: (646) 727-0535

> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/9de48764-707d-4529-a018-42a4782310f3%40googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

[Derek Cole]

I see what you're saying about the design of the code. The suggested workaround you proposed doesn't work. It's the same as if I just have the literal in there.
 
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not find resource 'Openvpn::Server[winterthur]' for relationship on 'Openvpn::Client[client1]' on node 28ae5ab6-e8f4-4da1-bae3-4df3ce94a6fe.cs1cloud.internal
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

I think I just realized something about the library after looking at the dependencies in the client code. This module actually just generates all of the configs but i dont think is meant to actually be used to deploy onto a virtual machine. The end result if I run this on a specific node is that I end up with an importable openvpn profile.

I was under the impression that the openvpn::client name actually installed the profile on the actual remote node. I guess I am going to need a separate process to import that openvpn profile on a specific node that is a client node.

The end goal here is to automatically provision a node that is a server, and a few nodes that connect to that server with openvpn. This module won't actually do all of that like I thought.

-Derek

[Jeff Bachtel]

In the case of the module you're using ( https://github.com/luxflux/puppet-openvpn it appears) and you seem to have already understood this, the client resource has a hard dependency on files that should only exist on the server (due to client cert generation process).

All is really not lost, though. Because the openvpn::client script generates two files for the openvpn configuration, you can easily enough do:

������� case $::role {

��������������� 'access': {

����������������������� notify {"Applying access packages" :}

����������������������� include access_packages

����������������������� freebsd::rc_conf { 'test' :

������������������������������� value� => 'yes',

������������������������������� ensure => 'present'

����������������������� }

����������������������� openvpn::server {'winterthur' :

����������������������� country����� => 'CH',

����������������������� province���� => 'ZH',

����������������������� city�������� => 'Winterthur',

����������������������� organization => 'example.org',

����������������������� email������� => 'ro...@example.org',

����������������������� server������ => '10.200.200.0 255.255.255.0'}

����������������������� openvpn::client { 'client1':
������������������������������� server => "winterthur"
����������������������� } -> @@file { '/etc/openvpn/win
terthur/download-configs/client1.ovpn' }

                        openvpn::client_specific_config { 'client1':
������������������������������� server => "winterthur"
����������������������� } -> @@file { '/etc/openvpn/winterthur/client-configs/client1' }

��������������� }

��������������� 'client': {

����������������������� notify {"Applying client config" :}

����������������������� File <<| name == '/etc/openvpn/winterthur/download-configs/client1.ovpn' |>>

����������������������� File <<| name == '/etc/openvpn/winterthur/client-configs/client1' |>>
��������������� }

������� }

This will instantiate the files on your client (assuming the server has applied its manifest successfully) and it can then be the target of an actual openvpn client configuration. Note that you'll have to do the latter yourself, as the module you're using doesn't seem to actually handle OpenVPN client package installation.

The more traditionally puppet way to handle this would be to have the CA or delegate CA on the puppet server itself, and have it write out such keys to some place like /etc/puppet/keydist/$fqdn for hosts to pull down using normal puppet:/// fileserver syntax.

I've not tested my above code, and haven't reviewed the module from luxflux enough to guarantee that it will work for you. It'd definitely require some investigation, as you're extending the module a bit beyond its original intent.

Jeff

On 12/09/2013 05:32 PM, Derek Cole wrote:

Hello,

I am not exactly sure how to phrase this, but consider the following:

������� case $::role {
��������������� 'access': {
����������������������� notify {"Applying access packages" :}
����������������������� include access_packages

����������������������� freebsd::rc_conf { 'test' :
������������������������������� value� => 'yes',
������������������������������� ensure => 'present'
����������������������� }
������������������������ openvpn::server {'winterthur' :
����������������������� country����� => 'CH',
����������������������� province���� => 'ZH',
����������������������� city�������� => 'Winterthur',
����������������������� organization => 'example.org',
����������������������� email������� => 'ro...@example.org',
����������������������� server������ => '10.200.200.0 255.255.255.0'}

��������������� }
��������������� 'client': {
����������������������� notify {"Applying client config" :}
����������������������� openvpn::client { 'client1':
������������������������������� server => "winterthur"
����������������������� }

��������������� }
������� }

What I am trying to do in 'client' case is reference the server that was defined in the 'access' case. Is this possible? The openvpn module here; https://github.com/luxflux/puppet-openvpn

contains some examples and such that lead me to believe there should be a reference, but it seems like that only is applicable if they have the same scope. How would I go about storing off the 'winterthur' openvpn::server for use by the clients later? Puppet's class variable access and scoping in general are a little confusing to me at this point. I tried the obvious assigning a $variable but that didn't work either. Also, looking at the openvpn code, it seems like openvpn::server is "define"d instead of using the class keyword. does this make a difference?

Thanks