Bill Weiss
2010-Apr-21 18:33 UTC
[Puppet Users] Odd behavior for clients with trailing dot in their FQDN
All,
I''m just getting started with puppet, so excuse any lack of vocabulary
in this email.
I''ve got a server (CentOS 5.4) running with a little more than the
example puppet configuration. Importantly, I''m using the supplied
auth.conf, and the relevant portion looks like this:
path ~ ^/catalog/([^/]+)$
method find
allow $1
I just created a new VM as a puppet client (also CentOS 5.4), which
calls itself ib3stage.domainI. (with trailing dot). When it tries to
sync for the first time, I get this on the client:
-bash-3.2# puppetd --waitforcert 60 --test --server puppet.domainB.
err: Could not retrieve catalog from remote server: Error 403 on
SERVER: Forbidden request: ib3stage.domainI.(10.0.12.15) access to /
catalog/ib3stage.domainI. [find] authenticated at line 0
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
The server shows this:
info: access[^/catalog/([^/]+)$]: allowing ''method'' find
info: access[^/catalog/([^/]+)$]: allowing $1 access
info: access[/certificate_revocation_list/ca]: allowing
''method'' find
info: access[/certificate_revocation_list/ca]: allowing * access
info: access[/report]: allowing ''method'' save
info: access[/report]: allowing * access
info: access[/file]: allowing * access
info: access[/certificate/ca]: adding authentication no
info: access[/certificate/ca]: allowing ''method'' find
info: access[/certificate/ca]: allowing * access
info: access[/certificate/]: adding authentication no
info: access[/certificate/]: allowing ''method'' find
info: access[/certificate/]: allowing * access
info: access[/certificate_request]: adding authentication no
info: access[/certificate_request]: allowing ''method'' find
info: access[/certificate_request]: allowing ''method'' save
info: access[/certificate_request]: allowing * access
info: access[/]: adding authentication any
info: access[^/catalog/([^/]+)$]: defaulting to no access for
ib3stage.domainB.
warning: Denying access: Forbidden request: ib3stage.domainI.
(10.0.12.15) access to /catalog/ib3stage.domainI. [find]
authenticated at line 52
err: Forbidden request: ib3stage.domainI.(10.0.12.15) access to /
catalog/ib3stage.domainI. [find] authenticated at line 52
If I convince the client that it is "ib3stage.domainI" (no dot),
everything works as expected. Likewise, if I change the third line of
my auth.conf stanza from above to "allow*", it works, though I
don''t
want to continue to run like that.
Can any of you reproduce this? Discussion in IRC was that this seemed
like a bug, but I''d like a sanity check before I file one. It was
suggested that a fix to facter could help with this (to strip trailing
dot?), but I would guess that this is a server-side thing.
Thank you.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Jesús M. Navarro
2010-Apr-21 21:40 UTC
Re: [Puppet Users] Odd behavior for clients with trailing dot in their FQDN
I Bliss: On Wednesday 21 April 2010 20:33:26 Bill Weiss wrote:> All, > > I''m just getting started with puppet, so excuse any lack of vocabulary > in this email. > > I''ve got a server (CentOS 5.4) running with a little more than the > example puppet configuration. Importantly, I''m using the supplied > auth.conf, and the relevant portion looks like this: > path ~ ^/catalog/([^/]+)$ > method find > allow $1 > > I just created a new VM as a puppet client (also CentOS 5.4), which > calls itself ib3stage.domainI. (with trailing dot).While probably on the verge of bein technically correct (after all the ending dot is the mark for the root domain) is quite extrange ending FQDNs with the dot outside declarations on DNSs. May I ask why such a extrange host name (why not just ib3stage.domainI)? Cheers. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Bill Weiss
2010-Apr-22 20:24 UTC
Re: [Puppet Users] Odd behavior for clients with trailing dot in their FQDN
2010/4/21 Jesús M. Navarro <jesus.navarro@andago.com>:> I Bliss: > > On Wednesday 21 April 2010 20:33:26 Bill Weiss wrote: >> All, >> >> I''m just getting started with puppet, so excuse any lack of vocabulary >> in this email. >> >> I''ve got a server (CentOS 5.4) running with a little more than the >> example puppet configuration. Importantly, I''m using the supplied >> auth.conf, and the relevant portion looks like this: >> path ~ ^/catalog/([^/]+)$ >> method find >> allow $1 >> >> I just created a new VM as a puppet client (also CentOS 5.4), which >> calls itself ib3stage.domainI. (with trailing dot). > > While probably on the verge of bein technically correct (after all the ending > dot is the mark for the root domain) is quite extrange ending FQDNs with the > dot outside declarations on DNSs. May I ask why such a extrange host name > (why not just ib3stage.domainI)?Because my company owns domainI.com. , and uses domainI. internally. So, to disambiguate, I use domainI. for internal systems. I''m pretty sure that I can change this machine to not be rooted, but software that handles FQDNs should accept rooted domains. How it''s handled could be up to debate (though it seems simple to me), but just dropping it on the floor doesn''t seem right. -- Bill Weiss ^[:wq -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Ohad Levy
2010-Apr-23 01:55 UTC
Re: [Puppet Users] Odd behavior for clients with trailing dot in their FQDN
Hi Bill, 1. ask for a new feature request :) most likely in facter. 2. "try" to use the certname option in puppet.conf instead. cheers, Ohad On Fri, Apr 23, 2010 at 4:24 AM, Bill Weiss <bill.weiss@gmail.com> wrote:> 2010/4/21 Jesús M. Navarro <jesus.navarro@andago.com>: > > I Bliss: > > > > On Wednesday 21 April 2010 20:33:26 Bill Weiss wrote: > >> All, > >> > >> I''m just getting started with puppet, so excuse any lack of vocabulary > >> in this email. > >> > >> I''ve got a server (CentOS 5.4) running with a little more than the > >> example puppet configuration. Importantly, I''m using the supplied > >> auth.conf, and the relevant portion looks like this: > >> path ~ ^/catalog/([^/]+)$ > >> method find > >> allow $1 > >> > >> I just created a new VM as a puppet client (also CentOS 5.4), which > >> calls itself ib3stage.domainI. (with trailing dot). > > > > While probably on the verge of bein technically correct (after all the > ending > > dot is the mark for the root domain) is quite extrange ending FQDNs with > the > > dot outside declarations on DNSs. May I ask why such a extrange host > name > > (why not just ib3stage.domainI)? > > Because my company owns domainI.com. , and uses domainI. internally. > So, to disambiguate, I use domainI. for internal systems. > > I''m pretty sure that I can change this machine to not be rooted, but > software that handles FQDNs should accept rooted domains. How it''s > handled could be up to debate (though it seems simple to me), but just > dropping it on the floor doesn''t seem right. > > -- > Bill Weiss > ^[:wq > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.