Puppet users - May 2008 - Puppet w/ Mongrel and fileserver access

Hello puppet-users,

I''ve just upgraded my Puppet installation from a basic Webbrick/Puppet
0.22.4 install to Apache/Mongrel/Puppet 0.24.4.   Everything appears
to be in good working order except access control related to the
puppet fileserver.   It appears that my puppet clients no longer have
access to fileserver mounts unless the FQDN of the client is
explicitly specified in fileserver.conf.  IP-based access control or
hostnames with wildcards result in permission denied errors.   The
issue appears to be specific to using puppet with Mongrel and
Apache.   When I run puppetmastered in "standalone" mode,  access
control via IP or wildcards works fine.

I''m running the puppet server on Ubuntu 6.06.2 LTS.
Puppet 0.24.4 (server and client)
Mongrel 1.1.4
Apache 2.2.8

Is this a known issue?   I haven''t seen anything posted to this list
or in the Puppet/Mongrel documentation about this.   I suppose I could
run the fileserver as a seperate puppet instance,  but I''d rather not
do that if I don'' t have to.

Thanks!

John
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On May 6, 2008, at 9:21 AM, funkymalc@gmail.com wrote:
>
> Hello puppet-users,
>
> I''ve just upgraded my Puppet installation from a basic
Webbrick/Puppet
> 0.22.4 install to Apache/Mongrel/Puppet 0.24.4.   Everything appears
> to be in good working order except access control related to the
> puppet fileserver.   It appears that my puppet clients no longer have
> access to fileserver mounts unless the FQDN of the client is
> explicitly specified in fileserver.conf.  IP-based access control or
> hostnames with wildcards result in permission denied errors.   The
> issue appears to be specific to using puppet with Mongrel and
> Apache.   When I run puppetmastered in "standalone" mode,  access
> control via IP or wildcards works fine.
>
> I''m running the puppet server on Ubuntu 6.06.2 LTS.
> Puppet 0.24.4 (server and client)
> Mongrel 1.1.4
> Apache 2.2.8
>
> Is this a known issue?   I haven''t seen anything posted to this
list
> or in the Puppet/Mongrel documentation about this.   I suppose I could
> run the fileserver as a seperate puppet instance,  but I''d rather
not
> do that if I don'' t have to.
I''ve never seen this before; I''m using a wildcard with mongrel
with no
issues.

-- 
Westheimer''s Discovery:
     A couple of months in the laboratory can frequently save a
     couple of hours in the library.
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Well, I''ve dug a little deeper and it appears that remote client
hostnames are resolving to a 127.0.0.1 address (see puppetmaster
debugging output below).   The system resolver appears to be
configured correctly and, like I stated, this works correctly in
webrick mode.   I have to assume then that the problem is related to
mongrel and/or the apache proxy.    My apache configuration was taken
right from the Apache/Mongrel Recipe so I''m a bit stumped.  If anyone
has any additional troubleshooting ideas,  I''m all ears :)

debug: Allowing authenticated client
hostname.somedomain.com(127.0.0.1) access to puppetmaster.getconfig
debug: Our client is remote
info: Caching node hostname.somedomain.com
notice: Compiled configuration for hostname.somedomain.com in 0.17
seconds
debug: Allowing authenticated client
hostname.somedomain.com(127.0.0.1) access to fileserver.describe
debug: Using cached node hostname.somedomain.com
debug: mount[mod_puppet]: Describing /mod_puppet/puppet.conf for
hostname.somedomain.com
debug: Allowing authenticated client
hostname.somedomain.com(127.0.0.1) access to puppetreports.report

Thanks,

John

On May 6, 11:23 am, Luke Kanies <l...@madstop.com>
wrote:
> On May 6, 2008, at 9:21 AM, funkym...@gmail.com wrote:
>
>
>
>
>
> > Hello puppet-users,
>
> > I''ve just upgraded my Puppet installation from a basic
Webbrick/Puppet
> > 0.22.4 install to Apache/Mongrel/Puppet 0.24.4.   Everything appears
> > to be in good working order except access control related to the
> > puppet fileserver.   It appears that my puppet clients no longer have
> > access to fileserver mounts unless the FQDN of the client is
> > explicitly specified in fileserver.conf.  IP-based access control or
> > hostnames with wildcards result in permission denied errors.   The
> > issue appears to be specific to using puppet with Mongrel and
> > Apache.   When I run puppetmastered in "standalone" mode, 
access
> > control via IP or wildcards works fine.
>
> > I''m running the puppet server on Ubuntu 6.06.2 LTS.
> > Puppet 0.24.4 (server and client)
> > Mongrel 1.1.4
> > Apache 2.2.8
>
> > Is this a known issue?   I haven''t seen anything posted to
this list
> > or in the Puppet/Mongrel documentation about this.   I suppose I could
> > run the fileserver as a seperate puppet instance,  but I''d
rather not
> > do that if I don'' t have to.
>
> I''ve never seen this before; I''m using a wildcard with
mongrel with no
> issues.
>
> --
> Westheimer''s Discovery:
>      A couple of months in the laboratory can frequently save a
>      couple of hours in the library.
> ---------------------------------------------------------------------
> Luke Kanies |http://reductivelabs.com|http://madstop.com
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On May 6, 2008, at 4:10 PM, funkymalc@gmail.com wrote:
> Well, I''ve dug a little deeper and it appears that remote client
> hostnames are resolving to a 127.0.0.1 address (see puppetmaster
> debugging output below).   The system resolver appears to be
> configured correctly and, like I stated, this works correctly in
> webrick mode.   I have to assume then that the problem is related to
> mongrel and/or the apache proxy.    My apache configuration was taken
> right from the Apache/Mongrel Recipe so I''m a bit stumped.  If
anyone
> has any additional troubleshooting ideas,  I''m all ears :)

Puppet doesn''t use a resolver to figure out the IP address; when using
mongrel it uses the REMOTE_ADDR attribute in the http connection.

Is there any way this attribute could be set up incorrectly?  It  
should be being passed from Apache.

That said, you just might be the first person to try IP-based auth  
with apache/mongrel, and it might just be a bug.

-- 
Now and then an innocent man is sent to the legislature.
     --Kin Hubbard
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---