cyrus_mc
2010-Sep-12 17:09 UTC
[Puppet Users] Puppet + Passenger error - /var/lib/puppet/.puppet
I am trying to setup Puppet + Passenger with Apache. After initially setting it up, on the client I was getting 403 errors when trying to access /catalog, /plugins, etc. Pretty much anything that my client tried to access I received a 403 error. I then looked in the /var/log/messages file and found the following: Sep 10 16:27:25 ls1314p puppet-master[26378]: Creating a new SSL key for ls1314p.encana.com Sep 10 16:27:25 ls1314p puppet-master[26378]: Creating a new SSL certificate request for ls1314p.encana.com Sep 10 16:27:25 ls1314p puppet-master[26378]: Starting Puppet server version 0.25.5 Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default ''~ ^/catalog/([^/]+)$''(auth) acl because /var/lib/puppet/.puppet/ auth.conf doesn''t exist Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default ''/file''(non-auth) acl because /var/lib/puppet/.puppet/auth.conf doesn''t exist Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default ''/certificate_revocation_list/ca''(auth) acl because /var/lib/puppet/.puppet/auth.conf doesn''t exist Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default ''/report''(auth) acl because /var/lib/puppet/.puppet/auth.conf doesn''t exist Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default ''/certificate/ca''(non-auth) acl because /var/lib/puppet/.puppet/auth.conf doesn''t exist Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default ''/certificate/''(non-auth) acl because /var/lib/puppet/.puppet/ auth.conf doesn''t exist Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default ''/certificate_request''(non-auth) acl because /var/lib/puppet/.puppet/auth.conf doesn''t exist Sep 10 16:27:25 ls1314p puppet-master[26378]: (access[/]) defaulting to no access for lv1779p.encana.com Sep 10 16:27:25 ls1314p puppet-master[26378]: Denying access: Forbidden request: lv1779p.encana.com(10.56.32.105) access to /catalog/lv1779p.encana.com [find] at line 0 Sep 10 16:27:25 ls1314p puppet-master[26378]: Forbidden request: lv1779p.encana.com(10.56.32.105) access to /catalog/lv1779p.encana.com [find] at line 0 As you can see, it seems to be looking for the auth.conf file in /var/ lib/puppet/.puppet. As a quick work around I created the /var/lib/ puppet/.puppet/auth.conf file but it just lead to more issues. Not sure why it is thinking the (I believe auth.conf is in the confdir) is /var/lib/puppet/.puppet. Here is my puppet.conf on puppetmaster. main] # The Puppet log directory # The default value is ''$vardir/log''. logdir = /var/log/puppet # Where the Puppet PID files are kept. # The default value is ''$vardir/run''. rundir = /var/run/puppet # Where the SSL certificates are kept. # The default value is ''$confdir/ssl''. ssldir = $vardir/ssl confdir = /puppet/development #external_nodes = /usr/bin/cobbler-ext-nodes #node_terminus = exec [puppetd] # The file in which puppetd stores a list of the classes # associated with the retrieved configuration. Can be loaded in # the seperate ``puppet`` executable using the ``-- loadclasses`` # option. # The default value is ''$confdir/classes.txt''. classfile = $vardir/classes.txt # Where puppetd caches the local configuration. An # extension indicating the cache format is added automatically. # The default value is ''$confdir/localconfig''. localconfig = $vardir/localconfig [puppetmasterd] ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY certificate_revocation = false Here is my config.ru which is owned by puppet # a config.ru, for use with every rack-compatible webserver. # SSL needs to be handled outside this, though. # if puppet is not in your RUBYLIB; # $:.unshift(''/opt/puppet/lib'') $0 = "master" # if you want debugging: ARGV << "--debug" ARGV << "--rack" #require ''puppet/application/master'' require ''puppet/application/puppetmasterd'' # we''re usually running inside a Rack::Builder.new {} block, # therefore we need to call run *here*. #run Puppet::Application[:master].run run Puppet::Application[:puppetmasterd].run I am running puppet 0.25 on RHEL v5.5. Any help would be appreciated as I have been unable to get around this issue. Thanks -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Marc Zampetti
2010-Sep-13 13:25 UTC
Re: [Puppet Users] Puppet + Passenger error - /var/lib/puppet/.puppet
This is a known bug. You need to set vardir and confdir for the [puppetmasterd] section explicitly, otherwise you get the default of .puppet for the var dir. Do this, and running puppet from passenger should be fine. On 9/12/10 1:09 PM, cyrus_mc wrote:> I am trying to setup Puppet + Passenger with Apache. > > After initially setting it up, on the client I was getting 403 errors > when trying to access /catalog, /plugins, etc. Pretty much anything > that my client tried to access I received a 403 error. > > I then looked in the /var/log/messages file and found the following: > > Sep 10 16:27:25 ls1314p puppet-master[26378]: Creating a new SSL key > for > ls1314p.encana.com > Sep 10 16:27:25 ls1314p puppet-master[26378]: Creating a new SSL > certificate request for ls1314p.encana.com > Sep 10 16:27:25 ls1314p puppet-master[26378]: Starting Puppet server > version 0.25.5 > Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default ''~ > ^/catalog/([^/]+)$''(auth) acl because /var/lib/puppet/.puppet/ > auth.conf > doesn''t exist > Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default > ''/file''(non-auth) acl because /var/lib/puppet/.puppet/auth.conf > doesn''t > exist > Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default > ''/certificate_revocation_list/ca''(auth) acl because > /var/lib/puppet/.puppet/auth.conf doesn''t exist > Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default > ''/report''(auth) acl because /var/lib/puppet/.puppet/auth.conf doesn''t > exist > Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default > ''/certificate/ca''(non-auth) acl because > /var/lib/puppet/.puppet/auth.conf doesn''t exist > Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default > ''/certificate/''(non-auth) acl because /var/lib/puppet/.puppet/ > auth.conf > doesn''t exist > Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default > ''/certificate_request''(non-auth) acl because > /var/lib/puppet/.puppet/auth.conf doesn''t exist > Sep 10 16:27:25 ls1314p puppet-master[26378]: (access[/]) defaulting > to > no access for lv1779p.encana.com > Sep 10 16:27:25 ls1314p puppet-master[26378]: Denying access: > Forbidden > request: lv1779p.encana.com(10.56.32.105) access to > /catalog/lv1779p.encana.com [find] at line 0 > Sep 10 16:27:25 ls1314p puppet-master[26378]: Forbidden request: > lv1779p.encana.com(10.56.32.105) access to /catalog/lv1779p.encana.com > [find] at line 0 > > As you can see, it seems to be looking for the auth.conf file in /var/ > lib/puppet/.puppet. As a quick work around I created the /var/lib/ > puppet/.puppet/auth.conf file but it just lead to more issues. > > Not sure why it is thinking the (I believe auth.conf is in the > confdir) is /var/lib/puppet/.puppet. > > Here is my puppet.conf on puppetmaster. > > main] > # The Puppet log directory > # The default value is ''$vardir/log''. > logdir = /var/log/puppet > > # Where the Puppet PID files are kept. > # The default value is ''$vardir/run''. > rundir = /var/run/puppet > > # Where the SSL certificates are kept. > # The default value is ''$confdir/ssl''. > ssldir = $vardir/ssl > > confdir = /puppet/development > > #external_nodes = /usr/bin/cobbler-ext-nodes > #node_terminus = exec > > [puppetd] > # The file in which puppetd stores a list of the classes > # associated with the retrieved configuration. Can be loaded > in > # the seperate ``puppet`` executable using the ``-- > loadclasses`` > # option. > # The default value is ''$confdir/classes.txt''. > classfile = $vardir/classes.txt > > # Where puppetd caches the local configuration. An > # extension indicating the cache format is added > automatically. > # The default value is ''$confdir/localconfig''. > localconfig = $vardir/localconfig > > [puppetmasterd] > ssl_client_header = SSL_CLIENT_S_DN > ssl_client_verify_header = SSL_CLIENT_VERIFY > certificate_revocation = false > > Here is my config.ru which is owned by puppet > > # a config.ru, for use with every rack-compatible webserver. > # SSL needs to be handled outside this, though. > > # if puppet is not in your RUBYLIB; > # $:.unshift(''/opt/puppet/lib'') > > $0 = "master" > > # if you want debugging: > ARGV<< "--debug" > > ARGV<< "--rack" > #require ''puppet/application/master'' > require ''puppet/application/puppetmasterd'' > # we''re usually running inside a Rack::Builder.new {} block, > # therefore we need to call run *here*. > #run Puppet::Application[:master].run > run Puppet::Application[:puppetmasterd].run > > I am running puppet 0.25 on RHEL v5.5. > > Any help would be appreciated as I have been unable to get around this > issue. > > Thanks >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.