Don Jackson
2010-Jan-31 20:11 UTC
[Puppet Users] Port 8139 needs to be open between machine running puppetrun and a client puppetd machine, correct?
Hello, I am attempting to get my machines configured properly so I can use puppetrun on my puppetmaster to get clients to update themselves during my development/testing of new recipes. I understand about listen = true in the puppetd.conf file, and I also have learned about the namespaceauth.conf file, where I put stuff like: [puppetrunner] allow puppet.mydomain.com This was all I needed to get machines on the same LAN as my puppetmaster to work, but it didn''t work across firewalls to machines in a colo. From router/firewall logs, it appears that the puppetmaster needs to connect to port 8139 of the machine running puppetd. I wasn''t able to find this clearly documented, hence this email. Regards, Don -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Dan Bode
2010-Feb-01 00:28 UTC
Re: [Puppet Users] Port 8139 needs to be open between machine running puppetrun and a client puppetd machine, correct?
On Sun, Jan 31, 2010 at 12:11 PM, Don Jackson < puppet-users@clark-communications.com> wrote:> > Hello, > > I am attempting to get my machines configured properly so I can use > puppetrun on my puppetmaster to get clients to update themselves during my > development/testing of new recipes. > > I understand about listen = true in the puppetd.conf file, and I also have > learned about the namespaceauth.conf file, > where I put stuff like: > > [puppetrunner] > allow puppet.mydomain.com > > This was all I needed to get machines on the same LAN as my puppetmaster to > work, but it didn''t work across firewalls to machines in a colo. > > From router/firewall logs, it appears that the puppetmaster needs to > connect to port 8139 of the machine running puppetd. > >that is correct, when using puppetrun, the authorized host needs to initiate a connection with the client on port 8139, then that host will initiate a request with its puppetmaster on 8140. You can change the puppetd listen port with the puppetport option. -Dan> I wasn''t able to find this clearly documented, hence this email. > > Regards, > > Don > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
grg350
2010-Feb-11 02:49 UTC
[Puppet Users] Re: Port 8139 needs to be open between machine running puppetrun and a client puppetd machine, correct?
Don, looks like you are able to run puppetrun to configure clients.
Its not working for me.
My config files goes:
On Client:
cat puppet.conf
[main]
server=puppetmaster.mydomain.com
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
pluginsync=true
[puppetd]
listen=true
cat namespaceauth.conf
[puppetrunner]
allow puppetmaster.mydomain.com
On puppetmaster:
cat namespaceauth.com
[fileserver]
allow *.mydomain.com
[puppetmaster]
allow *.mydomain.com
[puppetrunner]
allow *.mydomain.com
I ran puppetrun with
#puppetrun --host client.mydomain.com
But it doesn''t looks like the client get updated and exits with
"Failed to load ruby LDAP library. LDAP functionality will not be
available
Finished"
Also, I dont see any traffic on port 8139 and 8140 while running
tcpdump.Those two machines are on same LAN and no firewall between
them. Not sure what I have been missing. any help would be
appreciated.
Thanks,
grg350
On Jan 31, 4:28 pm, Dan Bode <d...@reductivelabs.com>
wrote:> On Sun, Jan 31, 2010 at 12:11 PM, Don Jackson <
>
>
>
>
>
> puppet-us...@clark-communications.com> wrote:
>
> > Hello,
>
> > I am attempting to get my machines configured properly so I can use
> > puppetrun on my puppetmaster to get clients to update themselves
during my
> > development/testing of new recipes.
>
> > I understand about listen = true in the puppetd.conf file, and I also
have
> > learned about the namespaceauth.conf file,
> > where I put stuff like:
>
> > [puppetrunner]
> > allow puppet.mydomain.com
>
> > This was all I needed to get machines on the same LAN as my
puppetmaster to
> > work, but it didn''t work across firewalls to machines in a
colo.
>
> > From router/firewall logs, it appears that the puppetmaster needs to
> > connect to port 8139 of the machine running puppetd.
>
> that is correct, when using puppetrun, the authorized host needs to
initiate
> a connection with the client on port 8139, then that host will initiate a
> request with its puppetmaster on 8140.
>
> You can change the puppetd listen port with the puppetport option.
>
> -Dan
>
>
>
> > I wasn''t able to find this clearly documented, hence this
email.
>
> > Regards,
>
> > Don
>
> > --
> > You received this message because you are subscribed to the Google
Groups
> > "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
> >
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@google
groups.com>
> > .
> > For more options, visit this group at
> >http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Iain Sutton
2010-Feb-11 20:44 UTC
Re: [Puppet Users] Re: Port 8139 needs to be open between machine running puppetrun and a client puppetd machine, correct?
Hi, We are able to successfully invoke puppetrun from the puppetmaster. The two main differences between our configuration and what is posted below are: a) the line ''server=puppet.mydomain.com'' is in the [puppetd] section on the client, not in the [main] section b) we don''t have a namespaceauth.conf on the puppetmaster at all, since when we had this in place, all clients would receive a ''500 Internal Server Error'' when they checked in. I haven''t revisited this recently. We''re running puppet 0.24.8 on CentOS/RHEL on client and server. Hope this helps, Iain On 11 February 2010 13:49, grg350 <grg350@gmail.com> wrote:> Don, looks like you are able to run puppetrun to configure clients. > Its not working for me. > My config files goes: > > On Client: > cat puppet.conf > [main] > server=puppetmaster.mydomain.com > logdir=/var/log/puppet > vardir=/var/lib/puppet > ssldir=/var/lib/puppet/ssl > rundir=/var/run/puppet > factpath=$vardir/lib/facter > pluginsync=true > > [puppetd] > listen=true > > cat namespaceauth.conf > [puppetrunner] > allow puppetmaster.mydomain.com > > On puppetmaster: > cat namespaceauth.com > [fileserver] > allow *.mydomain.com > [puppetmaster] > allow *.mydomain.com > [puppetrunner] > allow *.mydomain.com > > I ran puppetrun with > #puppetrun --host client.mydomain.com > > But it doesn''t looks like the client get updated and exits with > "Failed to load ruby LDAP library. LDAP functionality will not be > available > Finished" > > Also, I dont see any traffic on port 8139 and 8140 while running > tcpdump.Those two machines are on same LAN and no firewall between > them. Not sure what I have been missing. any help would be > appreciated. > > Thanks, > grg350 > > On Jan 31, 4:28 pm, Dan Bode <d...@reductivelabs.com> wrote: > > On Sun, Jan 31, 2010 at 12:11 PM, Don Jackson < > > > > > > > > > > > > puppet-us...@clark-communications.com> wrote: > > > > > Hello, > > > > > I am attempting to get my machines configured properly so I can use > > > puppetrun on my puppetmaster to get clients to update themselves during > my > > > development/testing of new recipes. > > > > > I understand about listen = true in the puppetd.conf file, and I also > have > > > learned about the namespaceauth.conf file, > > > where I put stuff like: > > > > > [puppetrunner] > > > allow puppet.mydomain.com > > > > > This was all I needed to get machines on the same LAN as my > puppetmaster to > > > work, but it didn''t work across firewalls to machines in a colo. > > > > > From router/firewall logs, it appears that the puppetmaster needs to > > > connect to port 8139 of the machine running puppetd. > > > > that is correct, when using puppetrun, the authorized host needs to > initiate > > a connection with the client on port 8139, then that host will initiate a > > request with its puppetmaster on 8140. > > > > You can change the puppetd listen port with the puppetport option. > > > > -Dan > > > > > > > > > I wasn''t able to find this clearly documented, hence this email. > > > > > Regards, > > > > > Don > > > > > -- > > > You received this message because you are subscribed to the Google > Groups > > > "Puppet Users" group. > > > To post to this group, send email to puppet-users@googlegroups.com. > > > To unsubscribe from this group, send email to > > > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > <puppet-users%2Bunsubscribe@google groups.com> > > > . > > > For more options, visit this group at > > >http://groups.google.com/group/puppet-users?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Raj Gurung
2010-Feb-11 22:55 UTC
Re: [Puppet Users] Re: Port 8139 needs to be open between machine running puppetrun and a client puppetd machine, correct?
Modified the puppet.conf but no joy still. # puppetrun -d --host client.mydomain.com debug: Parsing /etc/puppet/puppet.conf Finished I dont see the changes pushed to client.mydomain.com box. I wonder if LDAP is required component for puppetrun? Thanks, grg350 On Thu, Feb 11, 2010 at 12:44 PM, Iain Sutton <iainsutton@gmail.com> wrote:> Hi, > > We are able to successfully invoke puppetrun from the puppetmaster. The two > main differences between our configuration and what is posted below are: > > a) the line ''server=puppet.mydomain.com'' is in the [puppetd] section on > the client, not in the [main] section > b) we don''t have a namespaceauth.conf on the puppetmaster at all, since > when we had this in place, all clients would receive a ''500 Internal Server > Error'' when they checked in. I haven''t revisited this recently. > > We''re running puppet 0.24.8 on CentOS/RHEL on client and server. > > Hope this helps, > > Iain > > > On 11 February 2010 13:49, grg350 <grg350@gmail.com> wrote: > >> Don, looks like you are able to run puppetrun to configure clients. >> Its not working for me. >> My config files goes: >> >> On Client: >> cat puppet.conf >> [main] >> server=puppetmaster.mydomain.com >> logdir=/var/log/puppet >> vardir=/var/lib/puppet >> ssldir=/var/lib/puppet/ssl >> rundir=/var/run/puppet >> factpath=$vardir/lib/facter >> pluginsync=true >> >> [puppetd] >> listen=true >> >> cat namespaceauth.conf >> [puppetrunner] >> allow puppetmaster.mydomain.com >> >> On puppetmaster: >> cat namespaceauth.com >> [fileserver] >> allow *.mydomain.com >> [puppetmaster] >> allow *.mydomain.com >> [puppetrunner] >> allow *.mydomain.com >> >> I ran puppetrun with >> #puppetrun --host client.mydomain.com >> >> But it doesn''t looks like the client get updated and exits with >> "Failed to load ruby LDAP library. LDAP functionality will not be >> available >> Finished" >> >> Also, I dont see any traffic on port 8139 and 8140 while running >> tcpdump.Those two machines are on same LAN and no firewall between >> them. Not sure what I have been missing. any help would be >> appreciated. >> >> Thanks, >> grg350 >> >> On Jan 31, 4:28 pm, Dan Bode <d...@reductivelabs.com> wrote: >> > On Sun, Jan 31, 2010 at 12:11 PM, Don Jackson < >> > >> > >> > >> > >> > >> > puppet-us...@clark-communications.com> wrote: >> > >> > > Hello, >> > >> > > I am attempting to get my machines configured properly so I can use >> > > puppetrun on my puppetmaster to get clients to update themselves >> during my >> > > development/testing of new recipes. >> > >> > > I understand about listen = true in the puppetd.conf file, and I also >> have >> > > learned about the namespaceauth.conf file, >> > > where I put stuff like: >> > >> > > [puppetrunner] >> > > allow puppet.mydomain.com >> > >> > > This was all I needed to get machines on the same LAN as my >> puppetmaster to >> > > work, but it didn''t work across firewalls to machines in a colo. >> > >> > > From router/firewall logs, it appears that the puppetmaster needs to >> > > connect to port 8139 of the machine running puppetd. >> > >> > that is correct, when using puppetrun, the authorized host needs to >> initiate >> > a connection with the client on port 8139, then that host will initiate >> a >> > request with its puppetmaster on 8140. >> > >> > You can change the puppetd listen port with the puppetport option. >> > >> > -Dan >> > >> > >> > >> > > I wasn''t able to find this clearly documented, hence this email. >> > >> > > Regards, >> > >> > > Don >> > >> > > -- >> > > You received this message because you are subscribed to the Google >> Groups >> > > "Puppet Users" group. >> > > To post to this group, send email to puppet-users@googlegroups.com. >> > > To unsubscribe from this group, send email to >> > > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> >> <puppet-users%2Bunsubscribe@google groups.com> >> > > . >> > > For more options, visit this group at >> > >http://groups.google.com/group/puppet-users?hl=en. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> >> . >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> >> > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- "Nothing comes easy that is done well." -Harry F. Banks -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Joe McDonagh
2010-Feb-12 14:36 UTC
Re: [Puppet Users] Re: Port 8139 needs to be open between machine running puppetrun and a client puppetd machine, correct?
Raj Gurung wrote:> Modified the puppet.conf but no joy still. > > # puppetrun -d --host client.mydomain.com <http://client.mydomain.com> > debug: Parsing /etc/puppet/puppet.conf > Finished > > I dont see the changes pushed to client.mydomain.com > <http://client.mydomain.com> box. I wonder if LDAP is required > component for puppetrun? > > Thanks, > grg350 > > On Thu, Feb 11, 2010 at 12:44 PM, Iain Sutton <iainsutton@gmail.com > <mailto:iainsutton@gmail.com>> wrote: > > Hi, > > We are able to successfully invoke puppetrun from the > puppetmaster. The two main differences between our configuration > and what is posted below are: > > a) the line ''server=puppet.mydomain.com > <http://puppet.mydomain.com>'' is in the [puppetd] section on the > client, not in the [main] section > b) we don''t have a namespaceauth.conf on the puppetmaster at all, > since when we had this in place, all clients would receive a ''500 > Internal Server Error'' when they checked in. I haven''t revisited > this recently. > > We''re running puppet 0.24.8 on CentOS/RHEL on client and server. > > Hope this helps, > > Iain > > > On 11 February 2010 13:49, grg350 <grg350@gmail.com > <mailto:grg350@gmail.com>> wrote: > > Don, looks like you are able to run puppetrun to configure > clients. > Its not working for me. > My config files goes: > > On Client: > cat puppet.conf > [main] > server=puppetmaster.mydomain.com > <http://puppetmaster.mydomain.com> > logdir=/var/log/puppet > vardir=/var/lib/puppet > ssldir=/var/lib/puppet/ssl > rundir=/var/run/puppet > factpath=$vardir/lib/facter > pluginsync=true > > [puppetd] > listen=true > > cat namespaceauth.conf > [puppetrunner] > allow puppetmaster.mydomain.com > <http://puppetmaster.mydomain.com> > > On puppetmaster: > cat namespaceauth.com <http://namespaceauth.com> > [fileserver] > allow *.mydomain.com <http://mydomain.com> > [puppetmaster] > allow *.mydomain.com <http://mydomain.com> > [puppetrunner] > allow *.mydomain.com <http://mydomain.com> > > I ran puppetrun with > #puppetrun --host client.mydomain.com <http://client.mydomain.com> > > But it doesn''t looks like the client get updated and exits with > "Failed to load ruby LDAP library. LDAP functionality will not be > available > Finished" > > Also, I dont see any traffic on port 8139 and 8140 while running > tcpdump.Those two machines are on same LAN and no firewall between > them. Not sure what I have been missing. any help would be > appreciated. > > Thanks, > grg350 > > On Jan 31, 4:28 pm, Dan Bode <d...@reductivelabs.com > <mailto:d...@reductivelabs.com>> wrote: > > On Sun, Jan 31, 2010 at 12:11 PM, Don Jackson < > > > > > > > > > > > > puppet-us...@clark-communications.com > <mailto:puppet-us...@clark-communications.com>> wrote: > > > > > Hello, > > > > > I am attempting to get my machines configured properly so > I can use > > > puppetrun on my puppetmaster to get clients to update > themselves during my > > > development/testing of new recipes. > > > > > I understand about listen = true in the puppetd.conf file, > and I also have > > > learned about the namespaceauth.conf file, > > > where I put stuff like: > > > > > [puppetrunner] > > > allow puppet.mydomain.com > <http://puppet.mydomain.com> > > > > > This was all I needed to get machines on the same LAN as > my puppetmaster to > > > work, but it didn''t work across firewalls to machines in a > colo. > > > > > From router/firewall logs, it appears that the > puppetmaster needs to > > > connect to port 8139 of the machine running puppetd. > > > > that is correct, when using puppetrun, the authorized host > needs to initiate > > a connection with the client on port 8139, then that host > will initiate a > > request with its puppetmaster on 8140. > > > > You can change the puppetd listen port with the puppetport > option. > > > > -Dan > > > > > > > > > I wasn''t able to find this clearly documented, hence this > email. > > > > > Regards, > > > > > Don > > > > > -- > > > You received this message because you are subscribed to > the Google Groups > > > "Puppet Users" group. > > > To post to this group, send email to > puppet-users@googlegroups.com > <mailto:puppet-users@googlegroups.com>. > > > To unsubscribe from this group, send email to > > > puppet-users+unsubscribe@googlegroups.com > <mailto:puppet-users%2Bunsubscribe@googlegroups.com><puppet-users%2Bunsubscribe@google > groups.com <http://groups.com>> > > > . > > > For more options, visit this group at > > >http://groups.google.com/group/puppet-users?hl=en. > > -- > You received this message because you are subscribed to the > Google Groups "Puppet Users" group. > To post to this group, send email to > puppet-users@googlegroups.com > <mailto:puppet-users@googlegroups.com>. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com > <mailto:puppet-users%2Bunsubscribe@googlegroups.com>. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com > <mailto:puppet-users@googlegroups.com>. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com > <mailto:puppet-users%2Bunsubscribe@googlegroups.com>. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > > > > -- > > "Nothing comes easy that is done well." -Harry F. Banks > > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en.Does netstat -tnlp show puppetd listening on port 8139? -- Joe McDonagh AIM: YoosingYoonickz IRC: joe-mac on freenode L''ennui est contre-révolutionnaire -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.