Ask Your Question

sshkey exported resources collecting

asked 2015-02-24 04:52:50 -0600

PorkCharSui gravatar image

updated 2015-04-16 04:48:27 -0600

I am having trouble with one of the first modules I ever made. The one where you use exported resources to sync ssh host keys between all machines.

class ssh_host_keys {
  file { '/etc/ssh/ssh_known_hosts':
    ensure => file,
    owner  => root,
    group  => root,
    mode   => '0644',
    before => Sshkey[ "${::fqdn}_rsa", "${::fqdn}_dsa" ],
  @@sshkey { "${::fqdn}_rsa":
    ensure       => present,
    key          => $::sshrsakey,
    type         => rsa,
  @@sshkey { "${::fqdn}_dsa":
    ensure       => present,
    key          => $::sshdsakey,
    type         => dsa,
  Sshkey <<| |>>

I hadn't used it in a while, but wanted to start using it again. When I enable it now I get a lot of error messages like these (I replaced fqdn w\ *):

Notice: /Stage[main]/Ssh_host_keys/Sshkey[*_dsa]/ensure: created
Debug: Flushing sshkey provider target /etc/ssh/ssh_known_hosts
Error: /Stage[main]/Ssh_host_keys/Sshkey[*_dsa]: Could not evaluate: Field 'key' is required
Notice: /Stage[main]/Ssh_host_keys/Sshkey[*_rsa]/ensure: created
Debug: Flushing sshkey provider target /etc/ssh/ssh_known_hosts
Error: /Stage[main]/Ssh_host_keys/Sshkey[*_rsa]: Could not evaluate: Field 'key' is required

I've tried removing all ssh host key entries from the DB and on the first run I don't get any errors, but on a second run it starts complaining like above. If it was only 1 or 2 messages I might have been able to live with it, but when it does this for 500+ hosts it becomes really annoying. A lot of our machines only turn on intermittently and I suspect it has something to do with that, but I'm not sure. Has anyone else had this problem? What can I do?


Was digging through log files to remove 'deprecated' messages and other unwanted messages when I discovered this in the puppetdb log:

2015-03-10 13:30:13,359 WARN  [o.a.a.b.BrokerService] Store limit is 10240 mb, whilst the data directory: /var/lib/puppetdb/mq/localhost/KahaDB only has 1897 mb of usable space
2015-03-10 13:30:13,359 ERROR [o.a.a.b.BrokerService] Temporary Store limit is 5120 mb, whilst the temporary data directory: /var/lib/puppetdb/mq/localhost/tmp_storage only has 1897 mb of usable space

Puppetdb was trying to get more space then there was available, so I extended the LVM with a new HDD and now the above error is gone from puppetdb.log. After removing 1 of the keys which was giving me an error, directly from the db, all other host seem to be working now!? Could the problem have been puppetdb's lack of space? That would suggest puppet keeps trying to stuff things into the db while there isn't any space and only partially succeeds in some cases.


Came in today to find puppetdb had crashed yesterday afternoon. The last things in the logs, postgresql-9.4-main.log:

2015-03-10 14:00:26 CET LOG:  received fast shutdown request
2015-03-10 14:00:26 CET LOG:  aborting any active transactions
2015-03-10 14:00:26 CET LOG:  autovacuum launcher shutting down
2015-03-10 14:00:26 CET LOG:  shutting down
2015-03-10 14:00:34 CET LOG:  database system ...
edit retag flag offensive close merge delete

2 Answers

Sort by » oldest newest most voted

answered 2015-02-24 22:23:44 -0600

GregLarkin gravatar image

Can you share the redacted contents of your authorized_keys file? In particular, check if any of them have blank lines in them that were present before Puppet began managing them. That can cause this particular error message.

edit flag offensive delete link more


Lost you there... What authorized_keys file? I'm not trying to manage user keys. I just want to make sure none of our host get the Man In The Middle message when using SSH.

PorkCharSui gravatar imagePorkCharSui ( 2015-02-25 04:23:31 -0600 )edit

Oops, that's what I get for reading a question late at night! I have updated my answer with a better version.

GregLarkin gravatar imageGregLarkin ( 2015-02-25 10:31:56 -0600 )edit

Quick questions before I update my answer - does your /etc/ssh/ssh_known_hosts file have any blank lines in it? Has it ever contained any entries that are not managed by Puppet?

GregLarkin gravatar imageGregLarkin ( 2015-02-25 11:42:10 -0600 )edit

Nope... Puppet is the only 1 managing it and it has no empty lines.

PorkCharSui gravatar imagePorkCharSui ( 2015-02-26 07:08:44 -0600 )edit

How are the values of $sshdsakey and $sshrsakey passed in to your class?

GregLarkin gravatar imageGregLarkin ( 2015-02-26 16:56:34 -0600 )edit

answered 2018-01-23 11:04:47 -0600

pgassmann gravatar image

Solution: ensure that the key is only exported if the fact is available. Can be absent when running puppet the first time during installation.

  # Now add the key, if we've got one
  if $::sshrsakey {
    @@sshkey{ $::fqdn:
      ensure       => present,
      type         => ssh-rsa,
      key          => $::sshrsakey,
      host_aliases => [$::hostname, $::ipaddress],
  } else {
    warning("no sshrsakey on ${::fqdn}")
edit flag offensive delete link more


@pgassmann, you are promoting usage of legacy facts. For `$::sshrsakey` you want to use `$facts['ssh']['rsa']['key']`, for `$::ipaddress` you want to use `$facts['networking']['ip']`, for `$::fqdn` you want to use `$trusted['certname']`, for `$::hostname` you want to use `$trusted['hostname']`.

Kai Burghardt gravatar imageKai Burghardt ( 2018-01-23 14:12:50 -0600 )edit

@pgassmann, also, write if-expressions like `if $variable`, _only_ if $variable is a _boolean_. Thus `if $::sshrsakey` better should have read `if defined($facts['ssh']['rsa']['key'])`. Also `type => ssh-rsa` expects a string now: `type => 'ssh-rsa'`.

Kai Burghardt gravatar imageKai Burghardt ( 2018-01-23 14:15:02 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2015-02-24 04:52:50 -0600

Seen: 1,139 times

Last updated: Jan 23