cyrus_mc
2010-Sep-12 17:09 UTC
[Puppet Users] Puppet + Passenger error - /var/lib/puppet/.puppet
I am trying to setup Puppet + Passenger with Apache.
After initially setting it up, on the client I was getting 403 errors
when trying to access /catalog, /plugins, etc. Pretty much anything
that my client tried to access I received a 403 error.
I then looked in the /var/log/messages file and found the following:
Sep 10 16:27:25 ls1314p puppet-master[26378]: Creating a new SSL key
for
ls1314p.encana.com
Sep 10 16:27:25 ls1314p puppet-master[26378]: Creating a new SSL
certificate request for ls1314p.encana.com
Sep 10 16:27:25 ls1314p puppet-master[26378]: Starting Puppet server
version 0.25.5
Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default ''~
^/catalog/([^/]+)$''(auth) acl because /var/lib/puppet/.puppet/
auth.conf
doesn''t exist
Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default
''/file''(non-auth) acl because
/var/lib/puppet/.puppet/auth.conf
doesn''t
exist
Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default
''/certificate_revocation_list/ca''(auth) acl because
/var/lib/puppet/.puppet/auth.conf doesn''t exist
Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default
''/report''(auth) acl because /var/lib/puppet/.puppet/auth.conf
doesn''t
exist
Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default
''/certificate/ca''(non-auth) acl because
/var/lib/puppet/.puppet/auth.conf doesn''t exist
Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default
''/certificate/''(non-auth) acl because /var/lib/puppet/.puppet/
auth.conf
doesn''t exist
Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default
''/certificate_request''(non-auth) acl because
/var/lib/puppet/.puppet/auth.conf doesn''t exist
Sep 10 16:27:25 ls1314p puppet-master[26378]: (access[/]) defaulting
to
no access for lv1779p.encana.com
Sep 10 16:27:25 ls1314p puppet-master[26378]: Denying access:
Forbidden
request: lv1779p.encana.com(10.56.32.105) access to
/catalog/lv1779p.encana.com [find] at line 0
Sep 10 16:27:25 ls1314p puppet-master[26378]: Forbidden request:
lv1779p.encana.com(10.56.32.105) access to /catalog/lv1779p.encana.com
[find] at line 0
As you can see, it seems to be looking for the auth.conf file in /var/
lib/puppet/.puppet. As a quick work around I created the /var/lib/
puppet/.puppet/auth.conf file but it just lead to more issues.
Not sure why it is thinking the (I believe auth.conf is in the
confdir) is /var/lib/puppet/.puppet.
Here is my puppet.conf on puppetmaster.
main]
# The Puppet log directory
# The default value is ''$vardir/log''.
logdir = /var/log/puppet
# Where the Puppet PID files are kept.
# The default value is ''$vardir/run''.
rundir = /var/run/puppet
# Where the SSL certificates are kept.
# The default value is ''$confdir/ssl''.
ssldir = $vardir/ssl
confdir = /puppet/development
#external_nodes = /usr/bin/cobbler-ext-nodes
#node_terminus = exec
[puppetd]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuration. Can be loaded
in
# the seperate ``puppet`` executable using the ``--
loadclasses``
# option.
# The default value is ''$confdir/classes.txt''.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added
automatically.
# The default value is ''$confdir/localconfig''.
localconfig = $vardir/localconfig
[puppetmasterd]
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
certificate_revocation = false
Here is my config.ru which is owned by puppet
# a config.ru, for use with every rack-compatible webserver.
# SSL needs to be handled outside this, though.
# if puppet is not in your RUBYLIB;
# $:.unshift(''/opt/puppet/lib'')
$0 = "master"
# if you want debugging:
ARGV << "--debug"
ARGV << "--rack"
#require ''puppet/application/master''
require ''puppet/application/puppetmasterd''
# we''re usually running inside a Rack::Builder.new {} block,
# therefore we need to call run *here*.
#run Puppet::Application[:master].run
run Puppet::Application[:puppetmasterd].run
I am running puppet 0.25 on RHEL v5.5.
Any help would be appreciated as I have been unable to get around this
issue.
Thanks
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Marc Zampetti
2010-Sep-13 13:25 UTC
Re: [Puppet Users] Puppet + Passenger error - /var/lib/puppet/.puppet
This is a known bug. You need to set vardir and confdir for the [puppetmasterd] section explicitly, otherwise you get the default of .puppet for the var dir. Do this, and running puppet from passenger should be fine. On 9/12/10 1:09 PM, cyrus_mc wrote:> I am trying to setup Puppet + Passenger with Apache. > > After initially setting it up, on the client I was getting 403 errors > when trying to access /catalog, /plugins, etc. Pretty much anything > that my client tried to access I received a 403 error. > > I then looked in the /var/log/messages file and found the following: > > Sep 10 16:27:25 ls1314p puppet-master[26378]: Creating a new SSL key > for > ls1314p.encana.com > Sep 10 16:27:25 ls1314p puppet-master[26378]: Creating a new SSL > certificate request for ls1314p.encana.com > Sep 10 16:27:25 ls1314p puppet-master[26378]: Starting Puppet server > version 0.25.5 > Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default ''~ > ^/catalog/([^/]+)$''(auth) acl because /var/lib/puppet/.puppet/ > auth.conf > doesn''t exist > Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default > ''/file''(non-auth) acl because /var/lib/puppet/.puppet/auth.conf > doesn''t > exist > Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default > ''/certificate_revocation_list/ca''(auth) acl because > /var/lib/puppet/.puppet/auth.conf doesn''t exist > Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default > ''/report''(auth) acl because /var/lib/puppet/.puppet/auth.conf doesn''t > exist > Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default > ''/certificate/ca''(non-auth) acl because > /var/lib/puppet/.puppet/auth.conf doesn''t exist > Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default > ''/certificate/''(non-auth) acl because /var/lib/puppet/.puppet/ > auth.conf > doesn''t exist > Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default > ''/certificate_request''(non-auth) acl because > /var/lib/puppet/.puppet/auth.conf doesn''t exist > Sep 10 16:27:25 ls1314p puppet-master[26378]: (access[/]) defaulting > to > no access for lv1779p.encana.com > Sep 10 16:27:25 ls1314p puppet-master[26378]: Denying access: > Forbidden > request: lv1779p.encana.com(10.56.32.105) access to > /catalog/lv1779p.encana.com [find] at line 0 > Sep 10 16:27:25 ls1314p puppet-master[26378]: Forbidden request: > lv1779p.encana.com(10.56.32.105) access to /catalog/lv1779p.encana.com > [find] at line 0 > > As you can see, it seems to be looking for the auth.conf file in /var/ > lib/puppet/.puppet. As a quick work around I created the /var/lib/ > puppet/.puppet/auth.conf file but it just lead to more issues. > > Not sure why it is thinking the (I believe auth.conf is in the > confdir) is /var/lib/puppet/.puppet. > > Here is my puppet.conf on puppetmaster. > > main] > # The Puppet log directory > # The default value is ''$vardir/log''. > logdir = /var/log/puppet > > # Where the Puppet PID files are kept. > # The default value is ''$vardir/run''. > rundir = /var/run/puppet > > # Where the SSL certificates are kept. > # The default value is ''$confdir/ssl''. > ssldir = $vardir/ssl > > confdir = /puppet/development > > #external_nodes = /usr/bin/cobbler-ext-nodes > #node_terminus = exec > > [puppetd] > # The file in which puppetd stores a list of the classes > # associated with the retrieved configuration. Can be loaded > in > # the seperate ``puppet`` executable using the ``-- > loadclasses`` > # option. > # The default value is ''$confdir/classes.txt''. > classfile = $vardir/classes.txt > > # Where puppetd caches the local configuration. An > # extension indicating the cache format is added > automatically. > # The default value is ''$confdir/localconfig''. > localconfig = $vardir/localconfig > > [puppetmasterd] > ssl_client_header = SSL_CLIENT_S_DN > ssl_client_verify_header = SSL_CLIENT_VERIFY > certificate_revocation = false > > Here is my config.ru which is owned by puppet > > # a config.ru, for use with every rack-compatible webserver. > # SSL needs to be handled outside this, though. > > # if puppet is not in your RUBYLIB; > # $:.unshift(''/opt/puppet/lib'') > > $0 = "master" > > # if you want debugging: > ARGV<< "--debug" > > ARGV<< "--rack" > #require ''puppet/application/master'' > require ''puppet/application/puppetmasterd'' > # we''re usually running inside a Rack::Builder.new {} block, > # therefore we need to call run *here*. > #run Puppet::Application[:master].run > run Puppet::Application[:puppetmasterd].run > > I am running puppet 0.25 on RHEL v5.5. > > Any help would be appreciated as I have been unable to get around this > issue. > > Thanks >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.