We Keep Coding

# in password and Airflow postgres connection is failing

In my Postgres password , there is a # .Something like dba#123
in the airflow.cfg I have specified my DB password as
#sql_alchemy_conn = postgresql+psycopg2://user:dba#123#postgresserver.com:5432/airflow
throwing error as
sqlalchemy.exc.OperationalError: (psycopg2.OperationalError) could not translate host name "123#postgresserver.com" to address: Name or service not known
I tried to specify the password as parameters to the postgresql
sql_alchemy_conn = postgresql+psycopg2://user:dba#123#postgresserver.com:5432/airflow?password=dba#123
but not working .
Can any one help

Maybe this can help you can set the DB properties as an Environment variable and then you can get them via function, like this you will not get an error.
# def db_props():
# db_config = {
# 'host': os.environ["_HOST"],
# 'port': os.environ["_PORT"],
# 'db': os.environ["_DATABASE"],
# 'username': os.environ["_USERNAME"],
# 'password': os.environ["_PASSWORD"]
# }
# return db_config
and later in code, you can do this while making a connection
db_config = db_props()
server = db_config['host']
port = db_config['port']
database = db_config['db']
username = db_config["username"]
password = db_config['password']

Puppet-hiera-Function lookup() did not find a value-Windows

I installed dsc module and added AD user to Domain controller using puppet. Code below works fine when hard-coding password as plain text. Is it possible somehow to encrypt those passwords.
I read that hiera-eyaml is solution for this so i encrypted password
[root#PUPPET puppet]# /opt/puppetlabs/puppet/bin/eyaml encrypt -p
Enter password: **********
string: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAl/+uUACl6WpGAnA1sSqEuTp39SVYfHc7J0BMvC+a2C0YzQg1V]
Then stored that encrypted pass in /etc/common.eyaml file (specified in hiera config file)
/opt/puppetlabs/puppet/bin/eyaml edit /etc/common.eyaml
I can decrypt the file successfully:
/opt/puppetlabs/puppet/bin/eyaml decrypt -f /etc/common.eyaml
Then i specified encrypted pass to manifest file
/etc/puppetlabs/code/environments/production/manifests/site.pp:
dsc_xADUser {'FirstUser':
dsc_ensure => 'present',
dsc_domainname => 'ad.contoso.com',
dsc_username => 'tfl',
dsc_userprincipalname => 'tfl#ad.contoso.com',
dsc_password => {
'user' => 'Administrator#ad.contoso.com',
'password' => Sensitive('pass')
},
dsc_passwordneverexpires => true,
dsc_domainadministratorcredential => {
'user' => 'Administrator#ad.contoso.com',
'password' => Sensitive(lookup('password'))
},
}
On windows node i got error
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Function lookup() did not find a value for the name 'password' on node windows.example.com
Hiera config file:
cat /etc/puppetlabs/puppet/hiera.yaml
---
# Hiera 5 Global configuration file
---
version: 5
defaults:
datadir: data
data_hash: yaml_data
hierarchy:
- name: "Eyaml hierarchy"
lookup_key: eyaml_lookup_key # eyaml backend
paths:
- "/etc/common.eyaml"
options:
pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"
pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem"
cat /etc/common.eyaml
password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAl/+uUACl6WpGAnA1sSqEuTp39SVYfHc7J0BMvC+a2C0YzQg1V]
I'm new to Puppet and this hiera is confusing me

For starters, there is a typo in your Hiera config file. The path to the data should be:
paths:
- "/etc/common.eyaml"
After fixing that, you need to retrieve the value from Hiera. This is performed with the puppet lookup function. Since you have a single key value pair here in a single data file, this can be performed with a minimal number of arguments.
dsc_xADUser {'FirstUser':
dsc_ensure => 'present',
dsc_domainname => 'ad.contoso.com',
dsc_username => 'tfl',
dsc_userprincipalname => 'tfl#ad.contoso.com',
dsc_password => {
'user' => 'Administrator#ad.contoso.com',
'password' => Sensitive('pass')
},
dsc_passwordneverexpires => true,
dsc_domainadministratorcredential => {
'user' => 'Administrator#ad.contoso.com',
'password' => lookup('string'),
},
}
However, you also really want to redact that password from your logs and reports. You would want to wrap that password String in a Sensitive data type.
'password' => Sensitive(lookup('string')),
You seem to already be doing that for your other password that is being passed in as a String pass.
A side note to all of this is that Puppet has intrinsic support for lookup retrievals from Vault and Conjur in version 6, so that will become best practices instead of hiera-eyaml soon.

Ufff, after much struggling finally got it working:
cat /etc/puppetlabs/puppet/hiera.yaml
---
version: 5
defaults:
datadir: data
data_hash: yaml_data
hierarchy:
- name: "Eyaml hierarchy"
lookup_key: eyaml_lookup_key # eyaml backend
paths:
- "nodes/%{trusted.certname}.yaml"
- "windowspass.eyaml"
options:
pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"
pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem
Created password:
/opt/puppetlabs/puppet/bin/eyaml encrypt -l 'password' -s 'Pass' --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
Added it to /etc/puppetlabs/puppet/data/windowspass.eyaml file:
/opt/puppetlabs/puppet/bin/eyaml edit windowspass.eyaml --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
cat /etc/puppetlabs/puppet/data/windowspass.eyaml
---
password: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAUopetXenh/+DN1+VesIZUI5y4k3kOTn2xa5uBrtGZP3GvGqoWfwAbYsfeNApjeMG+lg93/N/6mE9T59DPh]
Tested decryption:
/opt/puppetlabs/puppet/bin/eyaml decrypt -f windowspass.eyaml --pkcs7-public-key=/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem --pkcs7-private-key=/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
As Matt suggested, mapped content of windowspass.eyaml to manifest file
'password' => Sensitive(lookup('password'))
Debugging command helped me a lot:
puppet master --debug --compile windows.example.com --environment=production
Thanks everyone, especially to Matt

Puppet PostgresQL management, Error: Puppet::Parser::AST::

I'm using Vagrant and I'm trying to provision a VM using puppet. In the Vagrant file I configured VM db as follow:
config.vm.define "db" do |db|
db.vm.hostname = "db"
db.vm.network "private_network", ip: "10.11.1.201", virtualbox__intnet: true
db.vm.provider "virtualbox" do |v|
v.memory = 1024
end
db.vm.network "forwarded_port", guest: 22, host: 2221, id: 'ssh', auto_correct: true
db.vm.network "forwarded_port", guest: 5432, host: 2222
db.ssh.forward_agent = true
config.vm.provision :shell do |shell|
shell.inline = "mkdir -p /etc/puppet/modules;
puppet module install puppetlabs-postgresql"
end
config.vm.provision :puppet do |puppet|
puppet.manifests_path = "puppet/manifests"
puppet.manifest_file = "site.pp"
puppet.module_path = "puppet/modules"
end
end
end
As you can see I set the download of the modules using a vagrant shell command before the puppet provisioner runs. In this way I have downloaded the puppetlabs-postgresql module from puppet labs. I do not want to manage my database by creating classes in my site.pp file located in /puppet/manifests/site.pp. I want to have a module call database in /puppet/modules/database. What I have done so far is create an init.pp file in /puppet/modules/database. Below is the content of my init.pp file :
class database {
class { 'postgresql::server':
ip_mask_allow_all_users => '0.0.0.0/0',
listen_addresses => '*',
ipv4acls => ['hostssl all johndoe 192.168.0.0/24 cert'],
postgres_password => 'TPSrep0rt!',
}
}
And then in my /puppet/manifests/site.pp file i have included the database class as below :
node 'db' {
include database
}
After the "vagrant up" command I get the error:
Error: Puppet::Parser::AST::Resource failed with error ArgumentError: Could not find declared class postgresql::server at /tmp/vagrant-puppet/modules-d1208595f982e4ac16b287f9bd398c89/database/manifests/init.pp:8 on node db.lan
==> db: Wrapped exception:
==> db: Could not find declared class postgresql::server
==> db: Error: Puppet::Parser::AST::Resource failed with error ArgumentError: Could not find declared class postgresql::server at /tmp/vagrant-puppet/modules-d1208595f982e4ac16b287f9bd398c89/database/manifests/init.pp:8 on node db.lan
What is the correct way to make use of the postgresql classes?

It is weird feeling to read your code, especially the class database part.
can you set hieradata template for puppet module postgresql
something likes:
postgresql::server:
ip_mask_allow_all_users: '0.0.0.0/0'
listen_addresses: '*'
ipv4acls:
- 'hostssl all johndoe 192.168.0.0/24 cert'
postgres_password: 'TPSrep0rt!'
in node define,
node 'db' {
include postgresql::server
}
manage the facters in pp file directly is not good practice.

Vagrant not working properly

I have a vagrant file that uses chef to help install things:
Vagrant.configure(2) do |config|
config.vm.box = 'opscode-ubuntu-12.04_chef-11.4.0'
config.vm.box_url = 'https://opscode-vm-bento.s3.amazonaws.com/vagrant/opscode_ubuntu-12.04_chef-11.4.0.box'
config.vm.network :forwarded_port, guest: 3000, host: 3000
config.vm.provider(:virtualbox) do |vb|
vb.customize [
"modifyvm", :id,
"--memory", "1024",
"--cpus", "4"
]
end
config.vm.provision :shell, inline: %Q{
sudo apt-get install -y postgresql-client
}
config.vm.provision :chef_solo do |chef|
chef.cookbooks_path = ["cookbooks"]
chef.add_recipe :apt
chef.add_recipe 'postgresql::server'
chef.add_recipe 'build-essential'
chef.add_recipe 'rvm::vagrant'
chef.add_recipe 'rvm::system'
chef.add_recipe 'git'
chef.json = {
:postgresql => {
:version => '9.3'
},
"postgresql" => {
"password" => {
"postgres" => "kshgfi3ret3hihjfbkivtbo3ity835"
}
},
"database" => {
"create" => ["aisisplatform"]
},
:git => {
:prefix => "/usr/local"
},
:rvm => {
'rubies' => [ 'ruby-2.1.0' ],
'default_ruby' => 'ruby-2.1.0',
'vagrant' => {
:system_chef_solo => '/usr/bin/chef-solo'
}
},
}
end
end
There are a few issues with this:
Through out the vagrant up start up I get warnings like this:
/tmp/vagrant-chef-1/chef-solo-1/cookbooks/rvm/libraries/rvm_chef_user_environment.rb:32: warning: class variable access from toplevel
The next issue is that things don't work properly, some times the vm sees PostgreSQL, through the psql command, sometimes it doesn't know what it is and states it's not installed. when it does see it, it states that psql: FATAL: role "vagrant" does not exist
The final issue is that when the vm boots up there is well over 200 updates of both regular and security. I would like this to be taken care of when the vm is set up the first time, via vagrant up. I tried doing:
config.vm.provision :shell, inline: %Q{
sudo apt-get update
sudo apt-get upgrade -y
}
But when the script runs I get TON of errors about stdn and so on and so forth. So, what do I do to fix these? what's wrong with my vagrant file?

I adapted the vagrant file to use the omnibus and berkshelf plugins. The former will ensure chef is at the desired version and the latter keeps the cookbooks up-to-date.
I also noted the "class variable access" warnings, whose root cause is presumably buried in the rvm cookbook. I didn't look deeper because my Vagrant run completed without error.
Example
$ tree
.
├── Berksfile
└── Vagrantfile
Berksfile
site :opscode
cookbook "apt"
cookbook "postgresql"
cookbook "build-essential"
cookbook "rvm", :github => "fnichol/chef-rvm"
cookbook "git"
Vagrantfile
Vagrant.require_plugin "vagrant-omnibus"
Vagrant.require_plugin "vagrant-berkshelf"
Vagrant.configure(2) do |config|
# Box config
config.vm.box = 'precise64'
config.vm.box_url = 'http://files.vagrantup.com/precise64.box'
# Plugin config
config.omnibus.chef_version = :latest
config.berkshelf.enabled = true
# Network config
config.vm.network :forwarded_port, guest: 3000, host: 3000
# Virtual config
config.vm.provider(:virtualbox) do |vb|
vb.customize [
"modifyvm", :id,
"--memory", "1024",
"--cpus", "4"
]
end
# Provisioner config
config.vm.provision :chef_solo do |chef|
chef.add_recipe 'apt'
chef.add_recipe 'postgresql::client'
chef.add_recipe 'postgresql::server'
chef.add_recipe 'build-essential'
chef.add_recipe 'rvm::system'
chef.add_recipe 'git'
chef.json = {
:postgresql => {
:version => '9.3'
},
"postgresql" => {
"password" => {
"postgres" => "kshgfi3ret3hihjfbkivtbo3ity835"
}
},
"database" => {
"create" => ["aisisplatform"]
},
:git => {
:prefix => "/usr/local"
},
:rvm => {
'rubies' => [ 'ruby-2.1.0' ],
'default_ruby' => 'ruby-2.1.0',
'vagrant' => {
:system_chef_solo => '/usr/bin/chef-solo'
}
},
}
end
end
Notes:
A standard Ubuntu image can be used. The omnibus plugin will install Chef 11.10 automatically
The "rvm::vagrant" recipe was removed as unncessary. Chef is installed using the omnibus installer and will therefore have it's own embedded ruby version
Used the "postgresql::client" recipe instead of a shell provisioner.

MongoDB 2.4 Replica set with authorization

How to set up proper authorization for mongodb 2.4.1.
My setup seem to be not working.
Replica members config:
dbpath = /vol/data/mongodb/
# logfile
logpath = /var/log/mongodb/mongodb.log
logappend = true
# socket
bind_ip = 0.0.0.0
port = 27018
# replication
replSet = <%= hostname[14,4] %>
# authentication
keyFile = /etc/mongodb.pass
# turn off legacy privilege mode
setParameter = supportCompatibilityFormPrivilegeDocuments=false
setParameter = textSearchEnabled=false
# turn off authorization
auth = true
After adding user authorization:
> use admin
> db.addUser( { user: "admin", pwd: "xxx", roles: [ "userAdminAnyDatabase", "readWriteAnyDatabase", "dbAdminAnyDatabase" ] } )
I can't access to rs.* commands.
> use admin
> db.auth('admin','xxx')
1
> rs.status()
{ "ok" : 0, "errmsg" : "unauthorized" }

I too was dealing with the same sort of problem.I have a solution for it.
Turn off auth
1.Create a user with root privilege
Root privilege yields readWrite access to database while userAdminAnyDatabase role doesn't.
use admin
db.createUser( {
user: "root",
pwd: "pass",
roles: [ { role: "root", db: "admin" } ]
});
Turn on auth
2.Login with the root user
mongo -u root --authenticationDatabase admin -p
Then you can execute your commands.
Hope this helps :)

I think you need to use a keyFile if you have a replicaset.
Taken from http://docs.mongodb.org/manual/tutorial/enable-authentication/ :
Enable authentication using the auth or keyFile settings. Use auth for standalone instances, and keyFile with replica sets and sharded clusters. keyFile implies auth and allows members of a MongoDB deployment to authenticate internally.