Skip to content

Category: Puppet

“Dynamic lookup is deprecated. Support will be removed in Puppet 2.8.” when using facts in templates

Recently ran into some of these when running Puppet 2.7.x:

warning: Dynamic lookup of $variable is deprecated. Support 
will be removed in Puppet 2.8.  Use a fully-qualified variable
name (e.g., $classname::variable) or parameterized classes.

The solution was pretty obvious and it’s easy to fix because the solution is mentioned in the warning. However the warning fails to mention what to do with Facter facts inside ERB templates. Figuring out how to fix this took me quite a while although it’s easy too.

Let’s start by taking a look at this snippet:

NameVirtualHost <%= 'ipaddress' %>:80
< VirtualHost <%= 'ipaddress' %>:80 >
	Servername www.example.com
	DocumentRoot /var/www/vhosts/example.com
	ServerAdmin info@example.com

If we’d apply this template in a manifest using Puppet 2.7.x we would run into the warning mentioned above because the IP address fact is out of scope. In order to avoid this we use lookupvar for Facter facts:

NameVirtualHost <%= scope.lookupvar('ipaddress') %>:80
< VirtualHost <%= scope.lookupvar('ipaddress') %>:80 >
	Servername www.example.com
	DocumentRoot /var/www/vhosts/example.com
	ServerAdmin info@example.com

puppetmaster-passenger session ticket A: tlsv1 alert decrypt error

There is a bug in the default puppetmaster vhost that’s included in Ubuntu-10.10’s puppetmaster-passenger package.

# puppetd --server puppet.fqdn --waitforcert 60 --no-usecacheonfailure
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: tlsv1 alert decrypt error
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run

Lucky for us this is easily fixed using the patch below.
If you have trouble copy/pasting it, here’s a direct link: apache_passenger_tlsv1.patch.

*** puppetmaster	Mon Feb  21 15:25:28 2011
--- puppetmaster.new	Mon Feb  21 15:25:13 2011
***************
*** 13,19 ****
          SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
          # If Apache complains about invalid signatures on the CRL, you can try disabling
          # CRL checking by commenting the next line, but this is not recommended.
!         SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
          # Set to require if this puppetmaster doesn't issue certificates
          # to puppet clients.
          # NB: this requires SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
--- 13,20 ----
          SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
          # If Apache complains about invalid signatures on the CRL, you can try disabling
          # CRL checking by commenting the next line, but this is not recommended.
!         # default: SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
!         SSLCARevocationPath     /var/lib/puppet/ssl/ca/crl
          # Set to require if this puppetmaster doesn't issue certificates
          # to puppet clients.
          # NB: this requires SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem

You can apply it using:

# patch -i apache_passenger_tlsv1.patch \
/etc/apache2/sites-available/puppetmaster

I’ve already filed a bug and supplied the solution a while ago. It has been confirmed but it’s still not in the default repositories yet, which is beyond my reach.