This is mainly for @michaelweiser:

So someone else implemented another hiera-backend for trocla: https://github.com/ZeroPointEnergy/hiera-backend-trocla

At first it couldn't do as much as yours, but now as the @ZeroPointEnergy iterated over it again it is feature equivalent with yours. And actually to be honest: it now not only has all the features of your backend, but also addresses a few drawbacks. Like that with your backend, you can only get a password in one specific format for one node, and you can't get both, e.g. a plain and a mysql backend.

Also that imho it makes to sense to maintain 2 backends, I'm actually in favor of removing your backend from this module and within the README of this module and trocla point to @ZeroPointEnergy's module.
Also note that for puppet-server installation we can't distribute the backend anymore using a puppet module, but should do it with a gem. Which is also something that the other module addresses and which is also one of the reasons, why I would like to keep the backend out of the module.

To make the long story short: What are you feelings about removing your code and pointing to the other backend?

I guess it should be too much work of migrating your existing hiera configuration over to the new backend, or keep your backend in an own repository, which you would maintain on your own.

Sorry for that, but I would say this is how iterating works in software development.

Hi,

how about a new release for the puppet forge?

The current release does not support hiera 5, because the trocla_lookup_key method is missing in release 1.0.1

Cheers otterz

along with #4, i think we should provide a default storage file and make sure its permissions are alright, because if we follow the class declaration i have in #4, the file created is world-readable.

something like:

file { $trocla::storage: mode => 0400, owner => puppet }

should be good enough.

I was expecting:

include trocla

do just "do the right thing". The readme actually made me thing that:

include trocla::master

... would also work, but then by reading the manifests, I came to understand we actually need to:

include trocla::config

... but that doesn't actually work either, because the default configuration is wrong.

I actually had to do:

class { 'trocla::config':
  adapter => 'YAML',
  adapter_options => { 'file' => '/var/lib/puppet/server_data/trocla.yml' },
}

It would be nice if those adapter options were the default!

could there be a system by which you'd have a "system-wide" password then host-specific ones?

i'm thinking of something like trocla([$fqdn, 'default'])...

Hi

Would be great if we could get a new forge release of this module ;-)

Hi,

We want to use trocla_set to force a plain password and generate a md5crypt

On the 1st run, trocla set our password and a md5crypt.
On the 2nd run, trocla set again our password and generate a new md5crypt.

It doesn't seem possible to check if a password is already defined and equal to the password we wanted.

Ideally I would wrote somethings like this :

if trocla_get('mykey_user', 'plain') != $my_password_from_hiera {
   $md5pass = trocla_set('mykey_user', $my_password_from_hiera, 'plain', 'md5crypt')
} else {
  $md5pass = trocla('mykey_user', 'md5crypt') # or trocla_get
}

Is it possible to do something like this, or have you an idea how to do this ?
Perhaps we can patch trocla or trocla_get to do not raise a fatal error if the password does not exist in the trocla database ?

Best regards

Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': Error 400 on SERVER: Permission denied - /etc/puppet/modules/trocla/lib/puppet/parser/functions/trocla_get.rb

Hi,

how to use this module? I download it but I don't know where to start. Can you give an example?

Thanks.

As reported on puppet-users, it seems that the hiera-backend is leaking stores:

https://groups.google.com/forum/#!topic/puppet-users/JDfXiA1xnCg

The workaround proposed on the list goes into the same direction as what we discussed in #18 and hence is introducing the same inefficiency (re-opening database connection), that I tried to avoid in the patches that followed to that PR.

Although, I explicitly tried to not run into the same problem as in the original puppet function with the hiera-backend, it looks like we are creating objects over and over again and hence keeping tons of connections open. Though that is my current guess and the little info we have on the report on the list, but it's the only explanation I have so far for the growing connection count.

What might interfere is the way how puppet is setting up the caches for hiera backends and eventually we might need to try to do that differently than storing the trocla object in the hash. But that's a pure guess atm, that needs more verification and analysis.

This is mainly a brain dump at the moment, to not loose track on what came up so far.

Hi,

the module requires a rubygems module to be installed by default but doesn't require it. Also, I am unable to locate any such module. Should that default perhaps be changed?

Thanks,
Michael

Hello

I have problems using this module. I installed it to the puppet master with the trocla::yaml class. But when I try to use the trocla function I get a error:

Could not retrieve catalog from remote server: Error 500 on SERVER: Internal Server Error: org.jruby.exceptions.RaiseException: (LoadError) no such file to load -- trocla

This is the code I use on the client

`$passkey = "${::hostname}_root"

user { $passkey:
name => 'root',
ensure => present,
password => trocla($passkey,'sha512crypt'),
}`

Normally client and puppet master are in different environment but the module is installed in booth environment. And for testing purposes I also tested with a client in the same environment as the puppet master. The result was the same.

Hi,

We can't get cert or key only with x509 format, as like duritong/trocla#42

I fix with:

diff --git a/lib/puppet/parser/functions/trocla_get.rb b/lib/puppet/parser/functions/trocla_get.rb
index fb5cd5a..c7596bf 100644
--- a/lib/puppet/parser/functions/trocla_get.rb
+++ b/lib/puppet/parser/functions/trocla_get.rb
@@ -29,8 +29,9 @@ the return value will be undef if the key & format pair is not found.
     end
     require File.dirname(__FILE__) + '/../../util/trocla_helper'
     args[1] ||= 'plain'
-    raise_error = args[2].nil? ? true : args[2]
-    if (answer=Puppet::Util::TroclaHelper.trocla(:get_password,false,[args[0],args[1]])).nil? && raise_error
+    options = args[2] || {}
+    raise_error = args[3].nil? ? true : args[3]
+    if (answer=Puppet::Util::TroclaHelper.trocla(:get_password,true,[args[0],args[1],options])).nil? && raise_error
       raise(Puppet::ParseError, "No password for key,format #{args[0..1].flatten.inspect} found!")
     end
     answer.nil? ? :undef : answer

Options order have change with this fix (raise_error is on args[3])

Do you want I fork and create a merge request ?

Hi,

I'm trying to install trocla

I've installed trocla via gem install trocla
I've added to my puppetmaster node "include trocla::mastertrocla::config"

gem list give

• moneta (0.7.20)
• highline (1.6.20)

But when I run puppet agent -t I've " Could not find class rubygems::moneta for myhost"

When I remove the include on my puppetmaster node and I run puppet agent on a client which have an user resource, password managed with troca I've "Error: Could not retrieve catalog from remote server: Error 400 on SERVER: no such file to load -- trocla"

I've create an empty file puppet owned in /etc/puppet/troclarc.yaml
And I don't have "server_data/trocla_data.yaml" on my master node

I'm on Centos 6.5, ruby 1.8.7 / puppet 3.2.4

Any help ?

Best regards,

Hi,
Is this module compatible with Puppet 8x ?
Do you have tested it ? Do you have any feedback ?
Thanks.