Bill Weiss
2010-Apr-21 18:33 UTC
[Puppet Users] Odd behavior for clients with trailing dot in their FQDN
All, I''m just getting started with puppet, so excuse any lack of vocabulary in this email. I''ve got a server (CentOS 5.4) running with a little more than the example puppet configuration. Importantly, I''m using the supplied auth.conf, and the relevant portion looks like this: path ~ ^/catalog/([^/]+)$ method find allow $1 I just created a new VM as a puppet client (also CentOS 5.4), which calls itself ib3stage.domainI. (with trailing dot). When it tries to sync for the first time, I get this on the client: -bash-3.2# puppetd --waitforcert 60 --test --server puppet.domainB. err: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: ib3stage.domainI.(10.0.12.15) access to / catalog/ib3stage.domainI. [find] authenticated at line 0 warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run The server shows this: info: access[^/catalog/([^/]+)$]: allowing ''method'' find info: access[^/catalog/([^/]+)$]: allowing $1 access info: access[/certificate_revocation_list/ca]: allowing ''method'' find info: access[/certificate_revocation_list/ca]: allowing * access info: access[/report]: allowing ''method'' save info: access[/report]: allowing * access info: access[/file]: allowing * access info: access[/certificate/ca]: adding authentication no info: access[/certificate/ca]: allowing ''method'' find info: access[/certificate/ca]: allowing * access info: access[/certificate/]: adding authentication no info: access[/certificate/]: allowing ''method'' find info: access[/certificate/]: allowing * access info: access[/certificate_request]: adding authentication no info: access[/certificate_request]: allowing ''method'' find info: access[/certificate_request]: allowing ''method'' save info: access[/certificate_request]: allowing * access info: access[/]: adding authentication any info: access[^/catalog/([^/]+)$]: defaulting to no access for ib3stage.domainB. warning: Denying access: Forbidden request: ib3stage.domainI. (10.0.12.15) access to /catalog/ib3stage.domainI. [find] authenticated at line 52 err: Forbidden request: ib3stage.domainI.(10.0.12.15) access to / catalog/ib3stage.domainI. [find] authenticated at line 52 If I convince the client that it is "ib3stage.domainI" (no dot), everything works as expected. Likewise, if I change the third line of my auth.conf stanza from above to "allow*", it works, though I don''t want to continue to run like that. Can any of you reproduce this? Discussion in IRC was that this seemed like a bug, but I''d like a sanity check before I file one. It was suggested that a fix to facter could help with this (to strip trailing dot?), but I would guess that this is a server-side thing. Thank you. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jesús M. Navarro
2010-Apr-21 21:40 UTC
Re: [Puppet Users] Odd behavior for clients with trailing dot in their FQDN
I Bliss: On Wednesday 21 April 2010 20:33:26 Bill Weiss wrote:> All, > > I''m just getting started with puppet, so excuse any lack of vocabulary > in this email. > > I''ve got a server (CentOS 5.4) running with a little more than the > example puppet configuration. Importantly, I''m using the supplied > auth.conf, and the relevant portion looks like this: > path ~ ^/catalog/([^/]+)$ > method find > allow $1 > > I just created a new VM as a puppet client (also CentOS 5.4), which > calls itself ib3stage.domainI. (with trailing dot).While probably on the verge of bein technically correct (after all the ending dot is the mark for the root domain) is quite extrange ending FQDNs with the dot outside declarations on DNSs. May I ask why such a extrange host name (why not just ib3stage.domainI)? Cheers. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Bill Weiss
2010-Apr-22 20:24 UTC
Re: [Puppet Users] Odd behavior for clients with trailing dot in their FQDN
2010/4/21 Jesús M. Navarro <jesus.navarro@andago.com>:> I Bliss: > > On Wednesday 21 April 2010 20:33:26 Bill Weiss wrote: >> All, >> >> I''m just getting started with puppet, so excuse any lack of vocabulary >> in this email. >> >> I''ve got a server (CentOS 5.4) running with a little more than the >> example puppet configuration. Importantly, I''m using the supplied >> auth.conf, and the relevant portion looks like this: >> path ~ ^/catalog/([^/]+)$ >> method find >> allow $1 >> >> I just created a new VM as a puppet client (also CentOS 5.4), which >> calls itself ib3stage.domainI. (with trailing dot). > > While probably on the verge of bein technically correct (after all the ending > dot is the mark for the root domain) is quite extrange ending FQDNs with the > dot outside declarations on DNSs. May I ask why such a extrange host name > (why not just ib3stage.domainI)?Because my company owns domainI.com. , and uses domainI. internally. So, to disambiguate, I use domainI. for internal systems. I''m pretty sure that I can change this machine to not be rooted, but software that handles FQDNs should accept rooted domains. How it''s handled could be up to debate (though it seems simple to me), but just dropping it on the floor doesn''t seem right. -- Bill Weiss ^[:wq -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Ohad Levy
2010-Apr-23 01:55 UTC
Re: [Puppet Users] Odd behavior for clients with trailing dot in their FQDN
Hi Bill, 1. ask for a new feature request :) most likely in facter. 2. "try" to use the certname option in puppet.conf instead. cheers, Ohad On Fri, Apr 23, 2010 at 4:24 AM, Bill Weiss <bill.weiss@gmail.com> wrote:> 2010/4/21 Jesús M. Navarro <jesus.navarro@andago.com>: > > I Bliss: > > > > On Wednesday 21 April 2010 20:33:26 Bill Weiss wrote: > >> All, > >> > >> I''m just getting started with puppet, so excuse any lack of vocabulary > >> in this email. > >> > >> I''ve got a server (CentOS 5.4) running with a little more than the > >> example puppet configuration. Importantly, I''m using the supplied > >> auth.conf, and the relevant portion looks like this: > >> path ~ ^/catalog/([^/]+)$ > >> method find > >> allow $1 > >> > >> I just created a new VM as a puppet client (also CentOS 5.4), which > >> calls itself ib3stage.domainI. (with trailing dot). > > > > While probably on the verge of bein technically correct (after all the > ending > > dot is the mark for the root domain) is quite extrange ending FQDNs with > the > > dot outside declarations on DNSs. May I ask why such a extrange host > name > > (why not just ib3stage.domainI)? > > Because my company owns domainI.com. , and uses domainI. internally. > So, to disambiguate, I use domainI. for internal systems. > > I''m pretty sure that I can change this machine to not be rooted, but > software that handles FQDNs should accept rooted domains. How it''s > handled could be up to debate (though it seems simple to me), but just > dropping it on the floor doesn''t seem right. > > -- > Bill Weiss > ^[:wq > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.