Jesse Nelson
2008-Mar-19 16:22 UTC
[Puppet Users] Puppet runner not honoring namespaceauth.conf ?
running latest 24.3 on server and client i have /etc/puppet/ namespeaceauth.conf setup with this entry: [puppetrunner] allow * ive also tried [puppetrunner] allow *.mydomain.com and [puppetrunner] allow runner.mydomain.com running the client: puppetd --verbose --no-daemonize --listen --debug and the runner: puppetrun --debug -f -t ipvs --host sfplb01 I always get debug: Parsing /etc/puppet/puppet.conf debug: Puppet::Network::Client::Runner: defining puppetrunner.run warning: peer certificate won''t be verified in this SSL session Triggering sfplb01 debug: Calling puppetrunner.run err: Could not call puppetrunner.run: #<RuntimeError: HTTP-Error: 500 Internal Server Error > Host sfplb01 failed: HTTP-Error: 500 Internal Server Error sfplb01 finished with exit code 2 Failed: sfplb01 on the client side: notice: Denying unauthenticated client 172.30.3.254(172.30.3.254) access to puppetrunner.run --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Luke Kanies
2008-Mar-19 16:26 UTC
[Puppet Users] Re: Puppet runner not honoring namespaceauth.conf ?
On Mar 19, 2008, at 11:22 AM, Jesse Nelson wrote:> > I always get > > debug: Parsing /etc/puppet/puppet.conf > debug: Puppet::Network::Client::Runner: defining puppetrunner.run > warning: peer certificate won''t be verified in this SSL session > Triggering sfplb01 > debug: Calling puppetrunner.run > err: Could not call puppetrunner.run: #<RuntimeError: HTTP-Error: 500 > Internal Server Error > > Host sfplb01 failed: HTTP-Error: 500 Internal Server Error > sfplb01 finished with exit code 2 > Failed: sfplb01 > > on the client side: > notice: Denying unauthenticated client 172.30.3.254(172.30.3.254)This is the key -- "unauthenticated". The user you''re running ''puppetrun'' as does not have read access to any certs. Obviously the error should be better. -- This space intentionally has nothing but text explaining why this space has nothing but text explaining that this space would otherwise have been left blank, and would otherwise have been left blank. --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Jesse Nelson
2008-Mar-19 16:31 UTC
[Puppet Users] Re: Puppet runner not honoring namespaceauth.conf ?
ah so i need to be puppet user. Glad to figure that out, but is there a way to expand who can run it ? we use this to push Loadbalancer configs. i can have ppl sudo out to puppet but usually we just run it as our own users. On Mar 19, 9:26 am, Luke Kanies <l...@madstop.com> wrote:> On Mar 19, 2008, at 11:22 AM, Jesse Nelson wrote: > > > > > > > I always get > > > debug: Parsing /etc/puppet/puppet.conf > > debug: Puppet::Network::Client::Runner: defining puppetrunner.run > > warning: peer certificate won''t be verified in this SSL session > > Triggering sfplb01 > > debug: Calling puppetrunner.run > > err: Could not call puppetrunner.run: #<RuntimeError: HTTP-Error: 500 > > Internal Server Error > > > Host sfplb01 failed: HTTP-Error: 500 Internal Server Error > > sfplb01 finished with exit code 2 > > Failed: sfplb01 > > > on the client side: > > notice: Denying unauthenticated client 172.30.3.254(172.30.3.254) > > This is the key -- "unauthenticated". > > The user you''re running ''puppetrun'' as does not have read access to > any certs. > > Obviously the error should be better. > > -- > This space intentionally has nothing but text explaining why this > space has nothing but text explaining that this space would otherwise > have been left blank, and would otherwise have been left blank. > --------------------------------------------------------------------- > Luke Kanies |http://reductivelabs.com|http://madstop.com--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Jesse Nelson
2008-Mar-19 16:32 UTC
[Puppet Users] Re: Puppet runner not honoring namespaceauth.conf ?
hrm i just tryied doing this as root and same stuff happened. On Mar 19, 9:26 am, Luke Kanies <l...@madstop.com> wrote:> On Mar 19, 2008, at 11:22 AM, Jesse Nelson wrote: > > > > > > > I always get > > > debug: Parsing /etc/puppet/puppet.conf > > debug: Puppet::Network::Client::Runner: defining puppetrunner.run > > warning: peer certificate won''t be verified in this SSL session > > Triggering sfplb01 > > debug: Calling puppetrunner.run > > err: Could not call puppetrunner.run: #<RuntimeError: HTTP-Error: 500 > > Internal Server Error > > > Host sfplb01 failed: HTTP-Error: 500 Internal Server Error > > sfplb01 finished with exit code 2 > > Failed: sfplb01 > > > on the client side: > > notice: Denying unauthenticated client 172.30.3.254(172.30.3.254) > > This is the key -- "unauthenticated". > > The user you''re running ''puppetrun'' as does not have read access to > any certs. > > Obviously the error should be better. > > -- > This space intentionally has nothing but text explaining why this > space has nothing but text explaining that this space would otherwise > have been left blank, and would otherwise have been left blank. > --------------------------------------------------------------------- > Luke Kanies |http://reductivelabs.com|http://madstop.com--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Luke Kanies
2008-Mar-19 16:59 UTC
[Puppet Users] Re: Puppet runner not honoring namespaceauth.conf ?
On Mar 19, 2008, at 11:31 AM, Jesse Nelson wrote:> ah so i need to be puppet user. Glad to figure that out, but is there > a way to expand who can run it ? we use this to push Loadbalancer > configs. i can have ppl sudo out to puppet but usually we just run it > as our own users.It''s all certificate based. It''s straightforward to figure out where puppetrun is looking for certificates using --configprint, just generate a cert for your user and copy it into place. -- On Bureaucracy.... The Pythagorean theorem contains 24 words. Archimedes Principle, 67. The Ten Commandments, 179. The American Declaration of Independence, 300. And recent legislation in Europe concerning when and where to smoke, 23,942. -- The European, June 23-29, 1995 --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Jeremiah Johnson
2008-Mar-19 17:22 UTC
[Puppet Users] Re: Puppet runner not honoring namespaceauth.conf ?
Also, you can use sudo to execute things as users other than root. So
you could allow people to execute your commands as the puppet user.
Probably better than copying certs all over.
-u The -u (user) option causes sudo to run the specified command as a
user other than root. To specify a uid instead of a username, use
#uid.
-Jeremiah
On Wed, Mar 19, 2008 at 11:59 AM, Luke Kanies <luke@madstop.com>
wrote:>
> On Mar 19, 2008, at 11:31 AM, Jesse Nelson wrote:
>
> > ah so i need to be puppet user. Glad to figure that out, but is there
> > a way to expand who can run it ? we use this to push Loadbalancer
> > configs. i can have ppl sudo out to puppet but usually we just run it
> > as our own users.
>
>
> It''s all certificate based. It''s straightforward to
figure out where
> puppetrun is looking for certificates using --configprint, just
> generate a cert for your user and copy it into place.
>
> --
> On Bureaucracy....
> The Pythagorean theorem contains 24 words. Archimedes
> Principle, 67. The Ten Commandments, 179. The American Declaration of
> Independence, 300. And recent legislation in Europe concerning when
> and where to smoke, 23,942. -- The European, June 23-29, 1995
>
>
> ---------------------------------------------------------------------
> Luke Kanies | http://reductivelabs.com | http://madstop.com
>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
Jesse Nelson
2008-Mar-20 06:39 UTC
[Puppet Users] Re: Puppet runner not honoring namespaceauth.conf ?
turns out it was a wonky config. server/client on the server were setup with bad/wrong ssl paths. ended up redoing the server from scratch and everything worked fine (was a migrated from prod test env). On Mar 19, 9:22 am, Jesse Nelson <sphero...@gmail.com> wrote:> running latest 24.3 on server and client i have /etc/puppet/ > namespeaceauth.conf setup with this entry: > > [puppetrunner] > allow * > > ive also tried > > [puppetrunner] > allow *.mydomain.com > > and > > [puppetrunner] > allow runner.mydomain.com > > running the client: > puppetd --verbose --no-daemonize --listen --debug > > and the runner: > puppetrun --debug -f -t ipvs --host sfplb01 > > I always get > > debug: Parsing /etc/puppet/puppet.conf > debug: Puppet::Network::Client::Runner: defining puppetrunner.run > warning: peer certificate won''t be verified in this SSL session > Triggering sfplb01 > debug: Calling puppetrunner.run > err: Could not call puppetrunner.run: #<RuntimeError: HTTP-Error: 500 > Internal Server Error > > Host sfplb01 failed: HTTP-Error: 500 Internal Server Error > sfplb01 finished with exit code 2 > Failed: sfplb01 > > on the client side: > notice: Denying unauthenticated client 172.30.3.254(172.30.3.254) > access to puppetrunner.run--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---