hiera-eyaml not decrypting on puppet agent runs - but works from CL
605 views
Skip to first unread message
raycharlesistheman
Nov 18, 2015, 3:20:42 PM11/18/15
to Puppet Users
Hi -
Hoping that someone can provide a direction to get this working, I've exhausted my own attempts.
I am simply following the hiera complete example from puppetlabs and shimming in eyaml as a backend.
While I am able to get my encrypted hiera datastore to decrypt from the command line using hiera or puppet apply, things don't work when doing a real puppet agent run.
I put everything about my setup into a paste at http://pastebin.com/8CnppUTS
-Thanks in advance!
Julian Meier
Nov 18, 2015, 5:50:47 PM11/18/15
to puppet...@googlegroups.com
Hi
I'm wondering if the gem hiera-eyaml is installed? Are you using puppet server?
puppetserver gem list
puppetserver gem install hiera-eyaml
Julian
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/b39812ef-918b-41a8-a0bf-66240a6a2a9e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
raycharlesistheman
Nov 18, 2015, 6:19:24 PM11/18/15
to Puppet Users
Hi and thanks for taking a look-
Yes, the gem is installed, actually 2x, I saw in a post on the github site for hiera-eyaml.
the result for list is that it appears for both..
[root@learning /etc]# /opt/puppetlabs/puppet/bin/gem list
*** LOCAL GEMS ***
.
.
hiera-eyaml (2.0.6)
Yes, the gem is installed, actually 2x, I saw in a post on the github site for hiera-eyaml.
/opt/puppetlabs/puppet/bin/gem install hiera-eyaml
/opt/puppetlabs/server/bin/puppetserver gem install hiera-eyamlthe result for list is that it appears for both..
[root@learning /etc]# /opt/puppetlabs/puppet/bin/gem list
*** LOCAL GEMS ***
.
.
hiera-eyaml (2.0.6)
[root@learning /etc]# /opt/puppetlabs/server/bin/puppetserver gem list
*** LOCAL GEMS ***
.
.
hiera-eyaml (2.0.6)
Dirk Heinrichs
Nov 19, 2015, 1:41:44 AM11/19/15
to puppet...@googlegroups.com
Am 18.11.2015 um 20:45 schrieb
raycharlesistheman:
Hoping that someone can provide a direction to get this working, I've exhausted my own attempts.
I am simply following the hiera complete example from puppetlabs and shimming in eyaml as a backend.
While I am able to get my encrypted hiera datastore to decrypt from the command line using hiera or puppet apply, things don't work when doing a real puppet agent run.
I put everything about my setup into a paste at http://pastebin.com/8CnppUTS
What about pure eyaml commands (eyaml encrypt, eyaml edit)? Do they
work?
Do you find any hint in the puppetserver logs?
Did you try putting the key configuration entries (pkcs7_(private|public)_key) you have in hiera.yaml into the eyaml config file (/etc/eyaml/config.yaml)?
HTH...
Dirk
Do you find any hint in the puppetserver logs?
Did you try putting the key configuration entries (pkcs7_(private|public)_key) you have in hiera.yaml into the eyaml config file (/etc/eyaml/config.yaml)?
HTH...
Dirk
--
Dirk Heinrichs, Senior Systems Engineer, Engineering Solutions
Recommind GmbH, Von-Liebig-Straße 1, 53359 Rheinbach
Tel: +49 2226 1596666 (Ansage) 1149
Email: d...@recommind.com
Skype: dirk.heinrichs.recommind
www.recommind.com
Dirk Heinrichs, Senior Systems Engineer, Engineering Solutions
Recommind GmbH, Von-Liebig-Straße 1, 53359 Rheinbach
Tel: +49 2226 1596666 (Ansage) 1149
Email: d...@recommind.com
Skype: dirk.heinrichs.recommind
www.recommind.com
Angel L. Mateo
Nov 19, 2015, 2:07:01 AM11/19/15
to puppet...@googlegroups.com
Does the user running puppet has permisissions for the certificate files?
El 19/11/15 a las 00:19, raycharlesistheman escribió:
> <https://groups.google.com/d/msgid/puppet-users/e000e6b8-2956-4680-8db2-8ab18b71f112%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
http://www.um.es/atica
Tfo: 868887590
Fax: 868888337
El 19/11/15 a las 00:19, raycharlesistheman escribió:
> <javascript:>> wrote:
>
>>
>>
>> Hi -
>>
>>
>> Hoping that someone can provide a direction to get this working,
>> I've exhausted my own attempts.
>> I am simply following the hiera complete example from puppetlabs
>> and shimming in eyaml as a backend.
>>
>>
>> While I am able to get my encrypted hiera datastore to decrypt
>> from the command line using hiera or puppet apply, things don't
>> work when doing a real puppet agent run.
>> I put everything about my setup into a paste at
>> http://pastebin.com/8CnppUTS
>>
>>
>>
>> If there is anyone here with hiera-eyaml experience, please take a
>> look and let me know what's not proper.
>>
>>
>> -Thanks in advance!
>>
>> --
>> You received this message because you are subscribed to the Google
>> Groups "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> send an email to puppet-users...@googlegroups.com <javascript:>.
>
>>
>>
>> Hi -
>>
>>
>> Hoping that someone can provide a direction to get this working,
>> I've exhausted my own attempts.
>> I am simply following the hiera complete example from puppetlabs
>> and shimming in eyaml as a backend.
>>
>>
>> While I am able to get my encrypted hiera datastore to decrypt
>> from the command line using hiera or puppet apply, things don't
>> work when doing a real puppet agent run.
>> I put everything about my setup into a paste at
>> http://pastebin.com/8CnppUTS
>>
>>
>>
>> If there is anyone here with hiera-eyaml experience, please take a
>> look and let me know what's not proper.
>>
>>
>> -Thanks in advance!
>>
>> --
>> You received this message because you are subscribed to the Google
>> Groups "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/b39812ef-918b-41a8-a0bf-66240a6a2a9e%40googlegroups.com
>> <https://groups.google.com/d/msgid/puppet-users/b39812ef-918b-41a8-a0bf-66240a6a2a9e%40googlegroups.com?utm_medium=email&utm_source=footer>.
>> https://groups.google.com/d/msgid/puppet-users/b39812ef-918b-41a8-a0bf-66240a6a2a9e%40googlegroups.com
>> For more options, visit https://groups.google.com/d/optout
>> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to puppet-users...@googlegroups.com
> <mailto:puppet-users...@googlegroups.com>.
> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to puppet-users...@googlegroups.com
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/e000e6b8-2956-4680-8db2-8ab18b71f112%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/e000e6b8-2956-4680-8db2-8ab18b71f112%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
http://www.um.es/atica
Tfo: 868887590
Fax: 868888337
raycharlesistheman
Nov 19, 2015, 10:22:05 AM11/19/15
to Puppet Users, dirk.he...@recommind.com
Hi Dirk-
Yes, the regular eyaml commands work,edit mode output is in the pastebin.
puppetserver.log entry below, which i see as consistent with what i see with the puppet run.. that it sees a string. The sting would be an array if only it got decrypted. :)
2015-11-18 11:49:40,481 ERROR [puppet-server] Puppet Evaluation Error: Error while evaluating a Function Call, "ENC[PKCS7,MIIB+wYJKoZIhvcNAQcDoIIB7DCCAegCAQAxggEhMIIBHQIBADAFMAACAQEw DQYJKoZIhvcNAQEBBQAEggEAJv7HPBFLLOEaM/6EYQbRUkKqdfv0Q+2esiF5 hy3WrEWOPJEk75Ltgrhvz/ru7m1CuTL05XgjZ5kIGwSsaUSVIGzazEshp4kU q6D0Brpbo3g4LLKNTgBL9JtBtIuyObJ5F2uhmig6RL7571VeL1VwNaA8QyVv DYDXIxV2Xk4oE5LpbDFIVzc5FgSeM+0loUe4REwj9vS/ZGzmxBBGbsxn7CCF mYQmDHcu3fmcMNTAEce3sRawl0k/wINegMVmVDgQASns6NrB0hhyw+JTnZSz 4A3HYJEtdzUvEgOxnYWhOmI6Jf3lYDeHBrNqj/wEv2nxwOGy2fTmJxy6quRQ RpcQ/zCBvQYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQoe2gBdpNQ05oF+XG U1DnQoCBkDg8cGtvXjroe1kWcNBcnasfMmy5tlpi+PIbu/c8kGjCuS7sNCXS S2wwz5jsBqO/bWIDJO2s4p2nEEqd2FcrScN20nkCE7gi3/5FfUkRFbp+FIg5 dS+2KpyE+8y9N3+3HfyTRiJCWAklRJqBZ1ztt0KVyF1VW+0CHHqL6Ix74Tge N4X0P8UVrsWI9fRYxrjPJA==]\n" is not an Array. It looks to be a String at /etc/puppetlabs/code/environments/production/modules/ntp/manifests/init.pp:61:3 on node learning.puppetlabs.vm
Yes- the /etc/eyaml/config.eyaml file has the lines with the paths to the keys, same way as in hiera.yaml.
-Thanks
Yes, the regular eyaml commands work,edit mode output is in the pastebin.
puppetserver.log entry below, which i see as consistent with what i see with the puppet run.. that it sees a string. The sting would be an array if only it got decrypted. :)
2015-11-18 11:49:40,481 ERROR [puppet-server] Puppet Evaluation Error: Error while evaluating a Function Call, "ENC[PKCS7,MIIB+wYJKoZIhvcNAQcDoIIB7DCCAegCAQAxggEhMIIBHQIBADAFMAACAQEw DQYJKoZIhvcNAQEBBQAEggEAJv7HPBFLLOEaM/6EYQbRUkKqdfv0Q+2esiF5 hy3WrEWOPJEk75Ltgrhvz/ru7m1CuTL05XgjZ5kIGwSsaUSVIGzazEshp4kU q6D0Brpbo3g4LLKNTgBL9JtBtIuyObJ5F2uhmig6RL7571VeL1VwNaA8QyVv DYDXIxV2Xk4oE5LpbDFIVzc5FgSeM+0loUe4REwj9vS/ZGzmxBBGbsxn7CCF mYQmDHcu3fmcMNTAEce3sRawl0k/wINegMVmVDgQASns6NrB0hhyw+JTnZSz 4A3HYJEtdzUvEgOxnYWhOmI6Jf3lYDeHBrNqj/wEv2nxwOGy2fTmJxy6quRQ RpcQ/zCBvQYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQoe2gBdpNQ05oF+XG U1DnQoCBkDg8cGtvXjroe1kWcNBcnasfMmy5tlpi+PIbu/c8kGjCuS7sNCXS S2wwz5jsBqO/bWIDJO2s4p2nEEqd2FcrScN20nkCE7gi3/5FfUkRFbp+FIg5 dS+2KpyE+8y9N3+3HfyTRiJCWAklRJqBZ1ztt0KVyF1VW+0CHHqL6Ix74Tge N4X0P8UVrsWI9fRYxrjPJA==]\n" is not an Array. It looks to be a String at /etc/puppetlabs/code/environments/production/modules/ntp/manifests/init.pp:61:3 on node learning.puppetlabs.vm
Yes- the /etc/eyaml/config.eyaml file has the lines with the paths to the keys, same way as in hiera.yaml.
-Thanks
raycharlesistheman
Nov 19, 2015, 1:15:02 PM11/19/15
to Puppet Users, ama...@um.es
Reply all
Reply to author
Forward
0 new messages