Sunday, March 30, 2014

Gino Vernetto

I have occasionally published material on Wikipedia US, and never had any issue. Whenever I try to do the same on Wikipedia Italy, there is immediately someone who deletes it without really any substantial reason.

Anyway I am publishing here the small article I had written on my father, Gino Vernetto, who has been writing a lot of history books. At least if someone googles his name he will find this post.

|Nome = Gino
|Cognome = Vernetto
|Sesso = M
|LuogoNascita = Parella
|GiornoMeseNascita = 12 dicembre
|AnnoNascita = 1923
|LuogoMorte =
|GiornoMeseMorte =
|AnnoMorte =
|Attività = storico
|Attività2 = scultore
|Attività3 = scrittore
|Epoca = 1900
|Epoca2 = 2000
|Nazionalità = italiano
|Immagine =
|Didascalia = Gino Vernetto in un'immagine del 2010

Nel 1952 si laureò in Ingegneria Elettrica presso il Politecnico di Torino. Si dedicò alle ricerche catastali nei comuni del Canavese e della Valle d'Aosta, e questa sua passione lo portò a pubblicare diversi libri sulla storia tipicamente dal 1200 al 1900.
Curò anche la traduzione e pubblicazione dei Diari di Giacomo Naretti, in collaborazione con Alberto Sbacchi.

== Opere ==
{{div col}}
*Storie di un piccolo paese: Parella – 198 pp - Parella, 1990
*Genealogia e cronistoria dei conti San Martino di Loranzè – 64 pp – in Bollettino SASAC n. 24 del 1998
*PARELLA – Storia e cronaca dalle origini al 1900 – 647 pp - SASAC, Ivrea, 1999
*I marchi di alcuni notai canavesani dei secoli XV-XVII – 45 pp – in Bollettino SASAC n.26 del 2000
*Gli ultimi conti San Martino di Loranzè – 15 pp – in Bollettino ASAC n.1 del 2001
*Giacomo Naretti, un canavesano che si è fatto onore, in Bollettino ASAC n.1 del 2001, pp.119-121, seguito da Le memorie di Giacomo Naretti alla corte dell’imperatore Giovanni IV d’Etiopia di Alberto Sbacchi, pp.122-140
*Genealogia dei secondi San Martino di Parella in Bollettino ASAC n.2 del 2002, pp.131-175
*CHARVENSOD – Alla ricerca delle radici – 275 pp - Comune di Charvensod (AO), 2002
*Le vicissitudini di una piccola comunità canavesana ai tempi della guerra civile tra madamisti e principisti (1639-1642) – 50 pp – in Bollettino ASAC n.3 del 2003
*Giacomo Naretti alla corte del negus Johannes IV d’Etiopia - Diari 1856-1881 - a cura di Alberto Sbacchi e Gino Vernetto, pp.496 - ASAC, Ivrea, 2004
*Stórie dij neuss país, pp.132, Pedagna, 2008
*La legislazione comunale della “Pedagna” dal 1395 al 1875, pp.143, libridicossavellaealessi, Aosta, 2008 – coautore Sandra Biava
*Colleretto Giacosa. Storia e storie, pp.551 – Bolognino Editore, Ivrea, 2010
*Storia della cartiera di Parella, pp. 178 - ASAC, Ivrea, 2010
*Carlo Emilio San Martino di Parella, pp. 81, Edizione artigianale, 2010
*Loranzè. Fra storia e cronaca, pp. 607 - Bolognino Editore, Ivrea, 2013

{{div col end}}

== Onorificenze ==

Cavaliere della Repubblica Italiana
Order of the Star of Ethiopia

PS the page in teh wikipedia has been deleted today 2014-04-08 by user Supernino - reminiscent of Nietsche.

Friday, March 28, 2014

Getting started with Varnish on RHEL

export http_proxy=

rpm --nosignature -i

yum install varnish

Loaded plugins: product-id, rhnplugin, security, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
drdb-rhel6                                                                                                   |  871 B     00:00
epel-rhel6                                                                                                   |  871 B     00:00
jenkins-rhel6                                                                                                |  871 B     00:00
acme_v6                                                                                                 |  871 B     00:00
percona-rhel6                                                                                                |  871 B     00:00
rhel-x86_64-server-6                                                                                         | 1.5 kB     00:00
rhel-x86_64-server-optional-6                                                                                | 1.5 kB     00:00
rhel-x86_64-server-supplementary-6                                                                           | 1.5 kB     00:00
varnish-3.0                                                                                                  |  951 B     00:00
varnish-3.0/primary                                                                                          |  13 kB     00:00 [Errno -1] Metadata file does not match checksum
Trying other mirror.
varnish-3.0/primary                                                                                          |  13 kB     00:00 [Errno -1] Metadata file does not match checksum
Trying other mirror.
Error: failure: repodata/primary.xml.gz from varnish-3.0: [Errno 256] No more mirrors to try.

vi /etc/yum.conf

then try again:

yum install varnish

service varnish start

To start a HTTP server I use Python:
run it on 8080


if you get 503 Service Unavailable:

vi /etc/varnish/default.vcl
backend default {
  .host = "";
  .port = "8080";
service varnish stop
service varnish start

Fail fast shell scripts with set -e

Shell script number one:
ls /pippo
ls /pappo

chmod 775
ls: /pippo: No such file or directory
ls: /puppo: No such file or directory
now let's insert a "set -e" at the top of the script, and run again:
ls: /pippo: No such file or directory

See? Listing an nonexistent directory returns a non-zero error code, and this makes the script fail immediately, no need for boring explicit testing of the exit code of each command.... I only wish there was an error handler to print a nice error message.... I guess 100 years from now bash will evolve to something decent, for the time being be happy with the horrible crap it is.


I went completely mad chasing why on earth an admin server was starting with, even if all the possible places (, in the data/nodemanager folder...) I had specified

After hours, I found out that I forgot to set the Hostname Verification to "None" (in server/SSL/advanced), it was instead the BEA Hostname Verifier

in WLST:

cd("/Servers/" + serverName + "/SSL/" + serverName )
set( 'HostnameVerificationIgnored', 1 )

Unless you turn it off, in some cases you can get the dreaded BEA-090482 BAD_CERTIFICATE alert .

WebLogic: resource [weblogic.jdbc.jta.DataSource] is unavailable

Funnily we see every minute this trace in the logs, after a restart:

<BEA-110486> <Transaction BEA1-0707A967026BC04A2B95 cannot complete commit processing because resource [weblogic.jdbc.jta.DataSource] is unavailable. The transaction will be abandoned after 76,586 seconds unless all resources acknowledge the commit decision.>

in server/monitoring/Recovery Services I see that we have a "Initial Recovered Transaction Total Count" = 1

and in the Monitoring/JTA/Transactions tab I see
Transaction ID                  Status          Seconds Active   XA Resources                             Servers 
BEA1-0707A967026BC04A2B95 Committing 15966          {weblogic.jdbc.jta.DataSource=new, WLStore_osbpr2do_AcmeCommonFileStore4=committed} {osbpr2do+osbpr2ms4=committed}

So my guess is that it's trying to recover a 2 phase transaction stored into a TLOG when we did an emergency shutdown. Probably this TX will timeout after 86400 seconds (this is the "Abandon Timeout Seconds" (see domain/JTA configuration)

Eventually, the transaction was ABANDONED:

####<Mar 29, 2014 4:19:02 AM CET> <Error> <JTA> <hqchacme111> <osbpr2ms4> <[ACTIVE] ExecuteThread: '13' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <7bd15190938d1348:-505e336a:14506b7cf60:-8000-000000000002a277> <1396063142807> <BEA-110423> <Abandoning transaction after 86,434 seconds: Xid=BEA1-0707A967026BC04A2B95(1729083635),Status=Committing,numRepliesOwedMe=0,numRepliesOwedOthers=0,seconds since begin=86432,seconds left=0,XAServerResourceInfo[WLStore_osbpr2do_acmeCommonFileStore4]=(ServerResourceInfo[WLStore_osbpr2do_acmeCommonFileStore4]=(state=committed,assigned=osbpr2ms4),xar=WLStore_osbpr2do_acmeCommonFileStore4167158004,re-Registered = true),XAServerResourceInfo[weblogic.jdbc.jta.DataSource]=(ServerResourceInfo[weblogic.jdbc.jta.DataSource]=(state=new,assigned=none),xar=null,re-Registered = false),SCInfo[osbpr2do+osbpr2ms4]=(state=committed),properties=({weblogic.jdbc.affinity.p01osb={, percent=1, instance  =p01osb_2, host=hqbuun551, database=p01osb}}),local properties=({weblogic.transaction.recoveredTransaction=true}),OwnerTransactionManager=ServerTM[ServerCoordinatorDescriptor=(, XAResources={eis/Apps/Apps, eis/tibjms/Queue, eis/activemq/Queue, acme_SSS_ConfigDS_osbpr2do, WLStore_osbpr2do_WseeFileStore_auto_4, WLStore_osbpr2do_FileStore_auto_4, eis/fioranomq/Topic, eis/jbossmq/Queue, WLStore_osbpr2do_acmeCommonFileStore4, eis/webspheremq/Queue, eis/AQ/aqSample, SOADataSource_osbpr2do, eis/aqjms/Queue, WLStore_osbpr2do__WLS_osbpr2ms4, eis/sunmq/Queue, eis/pramati/Queue, eis/tibjms/Topic, eis/tibjmsDirect/Queue, SOAXADataSource_osbpr2do, eis/wls/Queue, eis/tibjmsDirect/Topic, acmeDataSource_osbpr2do, eis/wls/Topic, eis/aqjms/Topic, WSATGatewayRM_osbpr2ms4_osbpr2do},NonXAResources={})],>

For an excellent coverage of TLOGs please look here

To purge TLOG tables, just shut down your cluster and drop the *_WLStore tables (there should be 1 per managed server)

Tuesday, March 25, 2014

Clean Desk Policy

“If a cluttered desk is a sign of a cluttered mind, of what, then, is an empty desk a sign?”
― Albert Einstein
Einstein's desk

Italian Dictator Benito Mussolini had a strong policy of clean desk in his office in Palazzo Venezia.

Monday, March 24, 2014

in Puppet (and Linux) every slash counts

I was creating a symbolic link:

  file { "/opt/oracle/java/" :
    ensure => link,
    target => "/usr/lib/jvm/java-1.6.0-sun.x86_64/",

on a machine where such a link was already defined, but without the trailing / ( /usr/lib/jvm/java-1.6.0-sun.x86_64 ).
Much to my surprise, Puppet acted on that link by changing it to /usr/lib/jvm/java-1.6.0-sun.x86_64/ (trailing /) ... as there were any difference between the two.

Funnily, Linux itself shows a different entry after the change:
lrwxrwxrwx 1 soa soa 34 Mar 24 18:27 java -> /usr/lib/jvm/java-1.6.0-sun.x86_64

lrwxrwxrwx 1 soa soa 34 Mar 24 18:27 java -> /usr/lib/jvm/java-1.6.0-sun.x86_64/

Well.... I think WWII was worse...

Puppet file recurse

to purge or not to purge?
to recurse or not to recurse?
I have a bunch of files in a mymodule/files/myfiles folder inside the puppet module mymodule. I need to copy them to a target folder. I don't want to specify the INDIVIDUAL files, so I want to use the "recurse" option.

This will do absolutely NOTHING:

  file { '/opt/oracle/fmw11_1_1_5/wlserver_10.3/common/wlst/modules/' :
    source  => "puppet:///modules/mymodule/myfiles/",

This will change mode to ALL files under /opt/oracle/fmw11_1_1_5/wlserver_10.3/common/wlst/modules/ (including subdirectories), but will NOT remove them:

  file { '/opt/oracle/fmw11_1_1_5/wlserver_10.3/common/wlst/modules/' :
    source  => "puppet:///modules/mymodule/myfiles/",
    recurse => true

This will remove any file which is not in the source, but subdirectories will remain:

  file { '/opt/oracle/fmw11_1_1_5/wlserver_10.3/common/wlst/modules/' :
    source  => "puppet:///modules/mymodule/myfiles/",
    recurse => true,
    purge => true,

This is the least-impacting: it will not change existing files, and will just copy the files in source:
  file { '/opt/oracle/fmw11_1_1_5/wlserver_10.3/common/wlst/modules/' :
    source  => "puppet:///modules/mymodule/myfiles/",
    recurse => remote

Saturday, March 22, 2014

Great Java 8 Tutorials

These days everyone is talking about Java 8. Let's be a lemming.

By going through the new Java features, I suspect most of them are not really revolutionary, but sure most of them can make the code more readable.

The day Java will look really like Groovy, then I will be really happy.

This one is VERY comprehensive and terse - no blablabla :
  • Default Methods for Interfaces
  • Lambda expressions
  • Functional Interfaces
  • Method and Constructor References
  • Lambda Scopes
  • Predicates
  • Functions
  • Suppliers
  • Consumers
  • Comparators
  • Streams
  • Filter
  • Sorted
  • Match
  • Count
  • Reduce
  • Parallel Streams
  • Sequential Sort
  • Parallel Sort
  • new Date-related classes

Another example-rich post is:

Thursday, March 20, 2014

weblogic, difference between Failed Reserve Request Count and Waiting For Connection Failure Total

weblogic, difference between Failed Reserve Request Count and Waiting For Connection Failure Total:

The cumulative, running count of requests for a connection from this data source that could not be fulfilled.

The cumulative, running count of requests for a connection from this data source that had to wait before getting a connection and eventually failed to get a connection.

I think the second is just a subset of the first (in fact in our server we have plenty of FailedReserveRequestCount, but no WaitingForConnectionFailureTotal). If a DB fails, surely you have the first error, never the second.

My first custom Puppet function in Ruby

Here the doc

I thought this was Rocket Science, but it's quite simple, once you overcome the normal, healthy, instinctive repugnance for a stinky stupid language like Ruby. Anyway if you are already coping with Puppet, Ruby should not be worse.

Inside your Puppet module, create these folders: lib/puppet/parser/functions, and inside your function file "stage_from_domain.rb" (file name should match the function name, and extension = .rb).

The file should start with a "module Puppet::Parser::Functions" declaration (no clue why... just to make your pronounce some meaningless magic words initiating you to the Puppet Mysteries - luckily they don't ask you to kill a kitten).

The function returns a substring in the middle of a string. Since we RETURN a value, we must declare it as ":type => :rvalue":
module Puppet::Parser::Functions
  newfunction(:stage_from_domain, :type => :rvalue) do |args|
    #e.g. domain_name='osbpr1do'
    domain_name = args[0]
    #we should remove the leading "osb" and the trailing "do"
    if domain_name[0, 3] != 'osb'
     raise ArgumentError, 'domain_name should start with osb' 
    if domain_name[domain_name.length - 2, domain_name.length] != 'do'
     raise ArgumentError, 'domain_name should end with do' 
    domain_name[3, domain_name.length - 5]

The REALLY weirdo thing is how to return the value: simply end your function specifying the rvalue to return (in my case "domain_name[3, domain_name.length - 5]". No old-fashioned, READABLE "return" statements... who needs clarity....

That's all, you can now use the stage_from_domain function inside Puppet. Cool! Maybe after all I will be able to turn Puppet into something manageable... especially the day they will decide to support Groovy, instead of Stinking Ruby.


I was trying desperately to pass an argument to the JVM:
by setting it in the JAVA_OPTIONS in the DOMAIN_HOME/bin/
Much to my dismay, the MS - started via NM with "usestartscript=true", would always come up with the same property=false.
After hours of grepping and swearing, I found out that in the domain_home/servers/AdminServer/data/nodemanager/ this value was set to false. this was overriding my settings. The same setting was in the of every MS, but it was overwritten at startup, so no point in changing it.
"Node Manager uses the file to determine the startup and configuration when starting a server. This file is defined for each server instance and is located in:

domain_home/servers/server_name/data/nodemanager/ "

"Each Managed Server instance has its own file with properties that control how Node Manager starts up and controls the server. Node Manager automatically creates this file by using properties passed to Node Manager when the Administrative Server was last used to start the server. This allows a Node Manager client or startup scripts to restart a Managed Server using the same properties last used by the Administrative Server. "

Once you change the of the Admin, remember to restart the NM.

Tuesday, March 18, 2014

Dedicated to all those who were in love with Obama

sorry for spamming with political messages, but this is just too good to be missed

Monday, March 17, 2014

Puppet. generate a property file from a YAML hash

the YAML:

  acmev2_env : DEV
  acmev2_loadbalancerurl :

The file/template statenent:
  file { "${acmescripts_rootfolder}config/":
    ensure  => present,
    content => template('acmev2/acmescripts/'),
    mode    => 0775,

The template file:

<% @acmev2_properties.each do |key, value| -%>
<%= key %>=<%= value %>
<% end -%>

The generated property file:


Stuck in tar

I have a tarball AcmeScripts-1.26-scripts.tar.gz containing a subfolder:

tar tvzf AcmeScripts-1.26-scripts.tar.gz

drwxr-xr-x 508/100           0 2014-03-11 12:21 AcmeScripts-1.26/jms/
drwxr-xr-x 508/100           0 2014-03-11 12:21 AcmeScripts-1.26/logs/

(i.e. all the content is under AcmeScripts-1.26)

This is bloody maven who packages my scripts this way, no clue why.

When I untar the tarball, I want to get rid of the AcmeScripts-1.26 subfolder, and untar all the content in a /opt/oracle/acmescripts/ folder (without having a /opt/oracle/acmescripts/AcmeScripts-1.26/ )
I have tried everything, but all attempt failed.

This untars under /opt/oracle/acmescripts/AcmeScripts-1.26/:
tar xvzf AcmeScripts-1.26-scripts.tar.gz -C /opt/oracle/acmescripts/ AcmeScripts-1.26/*

this does the same:

tar xvzf AcmeScripts-1.26-scripts.tar.gz -C /opt/oracle/acmescripts/

There doesn't seem to be an option to untar the content of AcmeScripts-1.26-scripts.tar.gz/AcmeScripts-1.26/* directly to /opt/oracle/acmescripts/. I need to do it in 2 additional steps:

mv /opt/oracle/acmescripts/AcmeScripts-1.26/* /opt/oracle/acmescripts/
rmdir /opt/oracle/acmescripts/AcmeScripts-1.26/

Which I don't find ideal. I would rather have something like

tar xvzf AcmeScripts-1.26-scripts.tar.gz -C /opt/oracle/acmescripts/ -D AcmeScripts-1.26/

(don't try it, the -D option doesn't exist)

The workaround is to simply deploy  the scripts to /opt/oracle/acmescripts_staging/AcmeScripts-1.26, and then create a symbolic link between /opt/oracle/acmescripts_staging/AcmeScripts-1.26 and /opt/oracle/acmescripts/ :

ln -s /opt/oracle/acmescripts_staging/AcmeScripts-1.26  /opt/oracle/acmescripts/

Of course when you deploy a new version of the scripts, you have to:
a) remove the previous link
b) remove /opt/oracle/acmescripts_staging/AcmeScripts-1.26
c) create the new link 
ln -s /opt/oracle/acmescripts_staging/AcmeScripts-1.27  /opt/oracle/acmescripts/

which requires some coordination and making sure it all fits together. Not all that simple.

I am a bit disappointed by tar, I always found it a underdesigned utility.

(this must be some La Brea tar pit ad)

Sunday, March 16, 2014

"Against the Car" - aka "The Planet-eating machine" or "The Canned Man"

I am sponsoring a research on the (disastrous) impact that CARS have on this Planet - approaching the issue from an anthropological, urbanistic, medical, social and political standpoint.

Surprisingly enough, there doesn't seem to be such a book.

Cars have replaced a varied and beautiful world with NOTHING - squalid parking lots, dreadful desert suburbs, isolated selfish individuals in prey to an omnipotence delirium that the amplification of muscular power through a pressure on the accelerator pedal gives to them.

Children can no longer play in the street. Precious soil is sequestered from human and animal life. Cities turn into animal zoos where animals in cages are separated by the flow of vehicles.

Fossil energy is siphoned from the earth causing this planet to go back to pre-Pleistocene climate. And triggering resource wars by which a neo-nazi elite is quickly affirming its domination on all of us.

Trade and business is expelled to the outskirts of the cities, impoverishing the urban life and concentrating wealth in the hands of large corporations.

The CAR is the G'mork, the Nothing eating the planet.

G'mork: If you come any closer, I will rip you to shreds.
Atreyu: Who are you?
G'mork: I am G'mork. And you, whoever you are, can have the honor of being my last victim.
Atreyu: I will not die easily. I am a warrior.
G'mork: Ha! Warrior. Then fight the Nothing.
Atreyu: But I can't! I can't get beyond the boundaries of Fantasia! [G'mork laughs mockingly] What's so funny about that?
G'mork: Fantasia has no boundaries.
Atreyu: That's not true. You're lying!
G'mork: Foolish boy. Don't you know anything about Fantasia? It's the world of human fantasy. Every part, every creature of it, is a piece of the dreams and hopes of mankind. Therefore, it has no boundaries.
Atreyu: But why is Fantasia dying, then?
G'mork: Because people have begun to lose their hopes and forget their dreams. So the Nothing grows stronger.
Atreyu: What is the Nothing?
G'mork: It's the emptiness that's left. It's like a despair, destroying this world. And I have been trying to help it.
Atreyu: But why?
G'mork: Because people who have no hopes are easy to control. And whoever has control has the Power.
Atreyu: Who are you really?
G'mork: I am the servant of the Power behind the Nothing. I was sent to kill the only one who could have stopped the Nothing. I lost him in the Swamps of Sadness. His name was Atreyu.

Thursday, March 13, 2014

Is storing JMS and TLOG files on a shared folder a good practice?

A friend of mine has JMS and TLOG files on a NFS4 shared folder, and shared among the 4 machines of his cluster.

Allegedly this should make his solution more "fault tolerant".

However, after 2 years in Production he has never, I say NEVER had a single machine outage (in any case, who cares about losing one, he has 4 machines in the cluster!) , on the other hand he had a few (at least 3) network glitches who made the NFS server unreachable for a period between a few minutes to a couple of hours.... this making ALL his solution completely unavailable.

So... if I had to make a choice, I would rather avoid NFS at all. If your main use case for NFS is that it makes it easier to deploy configuration files and applications, then consider using Puppet or use a different staging model.

Tuesday, March 11, 2014

find files with windows style linefeed

find . -name "*.sh" -exec grep -l "\r\n" {} \;

to fix them:

find . -name "*.sh" -exec grep -l "\r\n" {} \; | xargs dos2unix

Sunday, March 9, 2014


IF you are wondering what is REALLY happening in Ukraine, read this.

In a nutshell, Ukraine is yet another violent Nazi Golpe by the hands of US-NATO mercenaries - just like Libya, Syria etc etc. What happened in Europe in 1939, is happening now globally. And we are all Jews.

Quoting from "Arctic news": Ukraine is clearly another Western geopolitical stunt to stop Russian exports of oil and gas to Europe 

1 september 1939: German troops enter Poland, after having staged a false attack on a German radio station by FALSE Polish troops - just to have a pretext for war.

Friday, March 7, 2014

Book: Oracle WebLogic Server 12c Advanced Administration Cookbook

The book is a very hands-on, no blablabla tutorial which doesn't assume you have any previous knowledge of WebLogic.

It suits well a series of Laboratories experiments on WebLogic, where you can gain practical knowledge of key activities as a WebLogic Administrator.

Thursday, March 6, 2014

puppet file recurse purge filebucket

  file { "/path/to/target/":
    source  => "/path/to/staging/",
    recurse => true,
    purge   => true,

has one big caveat: if /path/to/target/ contains a lot of uncontrolled stuff which doesn't exist in /path/to/staging/, all this redundant stuff will be deleted and filebucketed (presumably across the network to a main file bucket running on the puppet master), and you will see this message:
info: /File[/path/to/target/bireports/DailyReport_2014-3-5.txt]: Filebucketed /path/to/target/bireports/DailyReport_2014-3-5.txt to main with sum 8f629af878d7d7fd7b70d33502100a76
notice: /File[/path/to/target/bireports/DailyReport_2014-3-5.txt]/ensure: removed

So the message is: be very careful to use "purge" if the target folder is supposed to contain plenty of other stuff. Consider moving that stuff under another folder. Or just forget the "purge".
See also:
Incidentally in my case there were so many files that it ended up with a "Error 400 on SERVER: Could not intern from pson: regexp buffer overflow"

Wednesday, March 5, 2014

sudoers command with any parameter

my /etc/sudoers file was configured with
%users ALL=NOPASSWD: /usr/local/bin/puppet agent -t
but then I was not allowed to run
sudo puppet agent -tv
and I get a
Sorry, user soa is not allowed to execute '/usr/local/bin/puppet agent -tv' as root on
A good workaround is to use regexp:

%users ALL=NOPASSWD: /usr/local/bin/puppet agent -[a-z]*