David Chin
2012-Jan-06 22:04 UTC
[Puppet Users] Error 400 on SERVER: Permission denied - /var/lib/puppet/yaml/facts/server.example.com.yaml
Hello,
I''m new to puppet, and am working through the Pro Puppet book
(Turnbull & McCune). After a bit of struggling, I managed to get
puppet + passenger + apache mostly working: a simple connect to the
server on https port 8140 gives "The environment must be purely
alphanumeric, not ''''"
Here is what I have running:
- RedHat Enterprise Linux 6
- httpd 2.2.15-15.el6
- puppet 2.7.9-1.el6
- puppet-server 2.7.9-1.el6
- mod_passenger 3.0.11-1.el6
- rubygem-rack 1.1.0-2.el6
- facter 1.6.4-1.el6
I''m sanitizing data here by using "puppet.example.com" as the
server
name.
My /etc/puppet/puppet.conf has:
[main]
server = puppet.example.com
On the puppet server, I am trying to test by doing: puppet agent --
verbose --debug --test
I get the error message:
err: Could not retrieve catalog from remote server: Error 400 on
SERVER: Permission denied - /var/lib/puppet/yaml/facts/
puppet.example.com.yaml
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
Permissions on /var/lib/puppet/yaml/facts:
drwxr-x---. puppet puppet
unconfined_u:object_r:puppet_var_lib_t:s0 /var/lib/puppet/yaml/facts/
I manually created the .yaml file by doing: facter -y > ${factsdir}/$
(facter fqdn).yaml
Thanks in advance for any pointers.
Cheers,
-- David Chin
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
David Klann
2012-Jan-09 14:26 UTC
[Puppet Users] Re: Error 400 on SERVER: Permission denied - /var/lib/puppet/yaml/facts/server.example.com.yaml
On Jan 6, 4:04 pm, David Chin <chi...@wfu.edu> wrote:> Hello, > > I''m new to puppet, and am working through the Pro Puppet book > (Turnbull & McCune). After a bit of struggling, I managed to get > puppet + passenger + apache mostly working: a simple connect to the > server on https port 8140 gives "The environment must be purely > alphanumeric, not ''''" > > Here is what I have running: > - RedHat Enterprise Linux 6 > - httpd 2.2.15-15.el6 > - puppet 2.7.9-1.el6 > - puppet-server 2.7.9-1.el6 > - mod_passenger 3.0.11-1.el6 > - rubygem-rack 1.1.0-2.el6 > - facter 1.6.4-1.el6 >I just ran into this with Puppet Enterprise on CentOS 6.2. This may be related to a known bug, but it seems slightly different: http://projects.puppetlabs.com/issues/11807 Maybe someone with more experience can offer their view. ~David Klann -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
David Chin
2012-Jan-09 16:31 UTC
Re: [Puppet Users] Error 400 on SERVER: Permission denied - /var/lib/puppet/yaml/facts/server.example.com.yaml
Turns out to be SELinux: httpd_t needs file write to puppet_var_lib_t.
Cheers,
Dave
--
David Chin, Ph.D.
chindw@wfu.edu High Performance Computing Systems Analyst
Office: +1.336.758.2964 Wake Forest University
Mobile: +1.336.608.0793 Winston-Salem, NC
Email-to-txt: 3366080793@mms.att.net Google Talk: chindw@wfu.edu
Web: http://www.wfu.edu/~chindw
https://plus.google.com/108169173177119739731/about
On Fri, Jan 6, 2012 at 17:04, David Chin <chindw@wfu.edu>
wrote:> Hello,
>
> I''m new to puppet, and am working through the Pro Puppet book
> (Turnbull & McCune). After a bit of struggling, I managed to get
> puppet + passenger + apache mostly working: a simple connect to the
> server on https port 8140 gives "The environment must be purely
> alphanumeric, not ''''"
>
> Here is what I have running:
> - RedHat Enterprise Linux 6
> - httpd 2.2.15-15.el6
> - puppet 2.7.9-1.el6
> - puppet-server 2.7.9-1.el6
> - mod_passenger 3.0.11-1.el6
> - rubygem-rack 1.1.0-2.el6
> - facter 1.6.4-1.el6
>
> I''m sanitizing data here by using "puppet.example.com"
as the server
> name.
>
> My /etc/puppet/puppet.conf has:
> [main]
> server = puppet.example.com
>
> On the puppet server, I am trying to test by doing: puppet agent --
> verbose --debug --test
>
> I get the error message:
>
> err: Could not retrieve catalog from remote server: Error 400 on
> SERVER: Permission denied - /var/lib/puppet/yaml/facts/
> puppet.example.com.yaml
> warning: Not using cache on failed catalog
> err: Could not retrieve catalog; skipping run
>
> Permissions on /var/lib/puppet/yaml/facts:
>
> drwxr-x---. puppet puppet
> unconfined_u:object_r:puppet_var_lib_t:s0 /var/lib/puppet/yaml/facts/
>
> I manually created the .yaml file by doing: facter -y > ${factsdir}/$
> (facter fqdn).yaml
>
> Thanks in advance for any pointers.
>
> Cheers,
> -- David Chin
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
David Chin
2012-Jan-13 06:30 UTC
Re: [Puppet Users] Error 400 on SERVER: Permission denied - /var/lib/puppet/yaml/facts/server.example.com.yaml
Some details on how I fixed it. There were also lots of mod_passenger
SELinux issues that were fixed, too. I didn''t pick out the specific
subset of issues that only fixed Puppet.
Credit due to: http://skippy.net/puppet-subversion-selinux
# setsebool -P allow_ypbind 1
# ausearch -m avc | audit2allow -r > puppet_passenger.te
# mkdir -p /usr/share/selinux/packages/puppet_passenger
# mv puppet_passenger.te /usr/share/selinux/packages/puppet_passenger
# cd /usr/share/selinux/packages/puppet_passenger
# checkmodule -M -m -o puppet_passenger.mod puppet_passenger.te
checkmodule: loading policy configuration from puppet_passenger.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 10) to
puppet_passenger.mod
# semodule_package -o puppet_passenger.pp -m puppet_passenger.mod
# semodule -i puppet_passenger.pp
The specific issues that arose from httpd_t''s need for access to
puppet stuff were:
allow httpd_t puppet_var_lib_t:dir { write read create add_name };
allow httpd_t puppet_var_lib_t:file { relabelfrom relabelto create write };
Hope that helps,
Dave
--
David Chin, Ph.D.
chindw@wfu.edu High Performance Computing Systems Analyst
Office: +1.336.758.2964 Wake Forest University
Mobile: +1.336.608.0793 Winston-Salem, NC
Email-to-txt: 3366080793@mms.att.net Google Talk: chindw@wfu.edu
Web: http://www.wfu.edu/~chindw
https://plus.google.com/108169173177119739731/about
On Mon, Jan 9, 2012 at 11:31, David Chin <chindw@wfu.edu>
wrote:> Turns out to be SELinux: httpd_t needs file write to puppet_var_lib_t.
>
> Cheers,
> Dave
> --
> David Chin, Ph.D.
> chindw@wfu.edu High Performance Computing Systems Analyst
> Office: +1.336.758.2964 Wake Forest University
> Mobile: +1.336.608.0793 Winston-Salem, NC
> Email-to-txt: 3366080793@mms.att.net Google Talk: chindw@wfu.edu
> Web: http://www.wfu.edu/~chindw
> https://plus.google.com/108169173177119739731/about
>
>
>
> On Fri, Jan 6, 2012 at 17:04, David Chin <chindw@wfu.edu> wrote:
>> Hello,
>>
>> I''m new to puppet, and am working through the Pro Puppet book
>> (Turnbull & McCune). After a bit of struggling, I managed to get
>> puppet + passenger + apache mostly working: a simple connect to the
>> server on https port 8140 gives "The environment must be purely
>> alphanumeric, not ''''"
>>
>> Here is what I have running:
>> - RedHat Enterprise Linux 6
>> - httpd 2.2.15-15.el6
>> - puppet 2.7.9-1.el6
>> - puppet-server 2.7.9-1.el6
>> - mod_passenger 3.0.11-1.el6
>> - rubygem-rack 1.1.0-2.el6
>> - facter 1.6.4-1.el6
>>
>> I''m sanitizing data here by using
"puppet.example.com" as the server
>> name.
>>
>> My /etc/puppet/puppet.conf has:
>> [main]
>> server = puppet.example.com
>>
>> On the puppet server, I am trying to test by doing: puppet agent --
>> verbose --debug --test
>>
>> I get the error message:
>>
>> err: Could not retrieve catalog from remote server: Error 400 on
>> SERVER: Permission denied - /var/lib/puppet/yaml/facts/
>> puppet.example.com.yaml
>> warning: Not using cache on failed catalog
>> err: Could not retrieve catalog; skipping run
>>
>> Permissions on /var/lib/puppet/yaml/facts:
>>
>> drwxr-x---. puppet puppet
>> unconfined_u:object_r:puppet_var_lib_t:s0 /var/lib/puppet/yaml/facts/
>>
>> I manually created the .yaml file by doing: facter -y >
${factsdir}/$
>> (facter fqdn).yaml
>>
>> Thanks in advance for any pointers.
>>
>> Cheers,
>> -- David Chin
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
David Chin
2012-Jan-13 06:33 UTC
Re: [Puppet Users] Error 400 on SERVER: Permission denied - /var/lib/puppet/yaml/facts/server.example.com.yaml
And an error that arose in the past hour which I just figured out
needed this access:
allow httpd_t puppet_var_lib_t:file append;
G''night,
Dave
--
David Chin, Ph.D.
chindw@wfu.edu High Performance Computing Systems Analyst
Office: +1.336.758.2964 Wake Forest University
Mobile: +1.336.608.0793 Winston-Salem, NC
Email-to-txt: 3366080793@mms.att.net Google Talk: chindw@wfu.edu
Web: http://www.wfu.edu/~chindw
https://plus.google.com/108169173177119739731/about
On Fri, Jan 13, 2012 at 01:30, David Chin <chindw@wfu.edu>
wrote:> Some details on how I fixed it. There were also lots of mod_passenger
> SELinux issues that were fixed, too. I didn''t pick out the
specific
> subset of issues that only fixed Puppet.
>
> Credit due to: http://skippy.net/puppet-subversion-selinux
>
> # setsebool -P allow_ypbind 1
> # ausearch -m avc | audit2allow -r > puppet_passenger.te
> # mkdir -p /usr/share/selinux/packages/puppet_passenger
> # mv puppet_passenger.te /usr/share/selinux/packages/puppet_passenger
> # cd /usr/share/selinux/packages/puppet_passenger
> # checkmodule -M -m -o puppet_passenger.mod puppet_passenger.te
> checkmodule: loading policy configuration from puppet_passenger.te
> checkmodule: policy configuration loaded
> checkmodule: writing binary representation (version 10) to
> puppet_passenger.mod
> # semodule_package -o puppet_passenger.pp -m puppet_passenger.mod
> # semodule -i puppet_passenger.pp
>
> The specific issues that arose from httpd_t''s need for access to
> puppet stuff were:
>
> allow httpd_t puppet_var_lib_t:dir { write read create add_name };
> allow httpd_t puppet_var_lib_t:file { relabelfrom relabelto create write
};
>
> Hope that helps,
> Dave
> --
> David Chin, Ph.D.
> chindw@wfu.edu High Performance Computing Systems Analyst
> Office: +1.336.758.2964 Wake Forest University
> Mobile: +1.336.608.0793 Winston-Salem, NC
> Email-to-txt: 3366080793@mms.att.net Google Talk: chindw@wfu.edu
> Web: http://www.wfu.edu/~chindw
> https://plus.google.com/108169173177119739731/about
>
>
>
> On Mon, Jan 9, 2012 at 11:31, David Chin <chindw@wfu.edu> wrote:
>> Turns out to be SELinux: httpd_t needs file write to puppet_var_lib_t.
>>
>> Cheers,
>> Dave
>> --
>> David Chin, Ph.D.
>> chindw@wfu.edu High Performance Computing Systems
Analyst
>> Office: +1.336.758.2964 Wake Forest University
>> Mobile: +1.336.608.0793 Winston-Salem, NC
>> Email-to-txt: 3366080793@mms.att.net Google Talk:
chindw@wfu.edu
>> Web: http://www.wfu.edu/~chindw
>> https://plus.google.com/108169173177119739731/about
>>
>>
>>
>> On Fri, Jan 6, 2012 at 17:04, David Chin <chindw@wfu.edu> wrote:
>>> Hello,
>>>
>>> I''m new to puppet, and am working through the Pro Puppet
book
>>> (Turnbull & McCune). After a bit of struggling, I managed to
get
>>> puppet + passenger + apache mostly working: a simple connect to the
>>> server on https port 8140 gives "The environment must be
purely
>>> alphanumeric, not ''''"
>>>
>>> Here is what I have running:
>>> - RedHat Enterprise Linux 6
>>> - httpd 2.2.15-15.el6
>>> - puppet 2.7.9-1.el6
>>> - puppet-server 2.7.9-1.el6
>>> - mod_passenger 3.0.11-1.el6
>>> - rubygem-rack 1.1.0-2.el6
>>> - facter 1.6.4-1.el6
>>>
>>> I''m sanitizing data here by using
"puppet.example.com" as the server
>>> name.
>>>
>>> My /etc/puppet/puppet.conf has:
>>> [main]
>>> server = puppet.example.com
>>>
>>> On the puppet server, I am trying to test by doing: puppet agent --
>>> verbose --debug --test
>>>
>>> I get the error message:
>>>
>>> err: Could not retrieve catalog from remote server: Error 400 on
>>> SERVER: Permission denied - /var/lib/puppet/yaml/facts/
>>> puppet.example.com.yaml
>>> warning: Not using cache on failed catalog
>>> err: Could not retrieve catalog; skipping run
>>>
>>> Permissions on /var/lib/puppet/yaml/facts:
>>>
>>> drwxr-x---. puppet puppet
>>> unconfined_u:object_r:puppet_var_lib_t:s0
/var/lib/puppet/yaml/facts/
>>>
>>> I manually created the .yaml file by doing: facter -y >
${factsdir}/$
>>> (facter fqdn).yaml
>>>
>>> Thanks in advance for any pointers.
>>>
>>> Cheers,
>>> -- David Chin
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.