Puppet users - May 2012 - Puppet First Run after Install failing in module pe_mcollective

I am installing puppet enterprise manager (master) on a RHEL box.
Though the install itself succeeds without any issues, the first run
of puppet when it tries to deploy the pe_mcollective module fails with
the following error.

Message:
change from notrun to 0 failed: sh -c ''umask 077; keytool -
importkeystore -deststorepass puppet -destkeypass puppet -destkeystore
broker.ks -srckeystore broker.p12 -srcstorepass puppet -srcstoretype
PKCS12 -alias puppet-master.xyz.com'' returned 1 instead of one of [0]
at /opt/puppet/share/puppet/modules/pe_mcollective/manifests/posix.pp:
138

Source:
/Stage[main]/Pe_mcollective::Posix/Exec[broker_cert_keystore]/returns

File:
/opt/puppet/share/puppet/modules/pe_mcollective/manifests/posix.pp

I have uninstalled and cleaned out the dirs before installing, but no
change. Looks like something got wacked up with the creation of the
keystore.. Any suggestions

Thanks
Shiva

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

What version of PE and RHEL?

I''ve seen this problem a couple of times and I believe we have a fix
already. I''ll just need to track it down and make sure it''s
the same issue.

-Jeff

On Tuesday, May 22, 2012, Shiva wrote:
> I am installing puppet enterprise manager (master) on a RHEL box.
> Though the install itself succeeds without any issues, the first run
> of puppet when it tries to deploy the pe_mcollective module fails with
> the following error.
>
> Message:
> change from notrun to 0 failed: sh -c ''umask 077; keytool -
> importkeystore -deststorepass puppet -destkeypass puppet -destkeystore
> broker.ks -srckeystore broker.p12 -srcstorepass puppet -srcstoretype
> PKCS12 -alias puppet-master.xyz.com'' returned 1 instead of one of
[0]
> at /opt/puppet/share/puppet/modules/pe_mcollective/manifests/posix.pp:
> 138
>
> Source:
> /Stage[main]/Pe_mcollective::Posix/Exec[broker_cert_keystore]/returns
>
> File:
> /opt/puppet/share/puppet/modules/pe_mcollective/manifests/posix.pp
>
> I have uninstalled and cleaned out the dirs before installing, but no
> change. Looks like something got wacked up with the creation of the
> keystore.. Any suggestions
>
> Thanks
> Shiva
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to
puppet-users@googlegroups.com<javascript:;>
> .
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com <javascript:;>.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Thanks Jeff

Puppet enterprise 2.5.1 and RHEL 6.2

Shiva

On May 22, 11:37 am, Jeff McCune <j...@puppetlabs.com>
wrote:
> What version of PE and RHEL?
>
> I''ve seen this problem a couple of times and I believe we have a
fix
> already. I''ll just need to track it down and make sure
it''s the same issue.
>
> -Jeff
>
>
>
>
>
>
>
> On Tuesday, May 22, 2012, Shiva wrote:
> > I am installing puppet enterprise manager (master) on a RHEL box.
> > Though the install itself succeeds without any issues, the first run
> > of puppet when it tries to deploy the pe_mcollective module fails with
> > the following error.
>
> > Message:
> > change from notrun to 0 failed: sh -c ''umask 077; keytool -
> > importkeystore -deststorepass puppet -destkeypass puppet -destkeystore
> > broker.ks -srckeystore broker.p12 -srcstorepass puppet -srcstoretype
> > PKCS12 -alias puppet-master.xyz.com'' returned 1 instead of
one of [0]
> > at /opt/puppet/share/puppet/modules/pe_mcollective/manifests/posix.pp:
> > 138
>
> > Source:
> > /Stage[main]/Pe_mcollective::Posix/Exec[broker_cert_keystore]/returns
>
> > File:
> > /opt/puppet/share/puppet/modules/pe_mcollective/manifests/posix.pp
>
> > I have uninstalled and cleaned out the dirs before installing, but no
> > change. Looks like something got wacked up with the creation of the
> > keystore.. Any suggestions
>
> > Thanks
> > Shiva
>
> > --
> > You received this message because you are subscribed to the Google
Groups
> > "Puppet Users" group.
> > To post to this group, send email to
puppet-users@googlegroups.com<javascript:;>
> > .
> > To unsubscribe from this group, send email to
> > puppet-users+unsubscribe@googlegroups.com <javascript:;>.
> > For more options, visit this group at
> >http://groups.google.com/group/puppet-users?hl=en.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Jeff

Have you been able to identify the fix.. I am kinda stuck and havent
been able to move forward with this..

Thanks
Shiva

On May 22, 11:55 am, Shiva <shivaraman.ramad...@gmail.com>
wrote:
> Thanks Jeff
>
> Puppet enterprise 2.5.1 and RHEL 6.2
>
> Shiva
>
> On May 22, 11:37 am, Jeff McCune <j...@puppetlabs.com> wrote:
>
>
>
>
>
>
>
> > What version of PE and RHEL?
>
> > I''ve seen this problem a couple of times and I believe we
have a fix
> > already. I''ll just need to track it down and make sure
it''s the same issue.
>
> > -Jeff
>
> > On Tuesday, May 22, 2012, Shiva wrote:
> > > I am installing puppet enterprise manager (master) on a RHEL box.
> > > Though the install itself succeeds without any issues, the first
run
> > > of puppet when it tries to deploy the pe_mcollective module fails
with
> > > the following error.
>
> > > Message:
> > > change from notrun to 0 failed: sh -c ''umask 077;
keytool -
> > > importkeystore -deststorepass puppet -destkeypass puppet
-destkeystore
> > > broker.ks -srckeystore broker.p12 -srcstorepass puppet
-srcstoretype
> > > PKCS12 -alias puppet-master.xyz.com'' returned 1 instead
of one of [0]
> > > at
/opt/puppet/share/puppet/modules/pe_mcollective/manifests/posix.pp:
> > > 138
>
> > > Source:
> > >
/Stage[main]/Pe_mcollective::Posix/Exec[broker_cert_keystore]/returns
>
> > > File:
> > >
/opt/puppet/share/puppet/modules/pe_mcollective/manifests/posix.pp
>
> > > I have uninstalled and cleaned out the dirs before installing,
but no
> > > change. Looks like something got wacked up with the creation of
the
> > > keystore.. Any suggestions
>
> > > Thanks
> > > Shiva
>
> > > --
> > > You received this message because you are subscribed to the
Google Groups
> > > "Puppet Users" group.
> > > To post to this group, send email to
puppet-users@googlegroups.com<javascript:;>
> > > .
> > > To unsubscribe from this group, send email to
> > > puppet-users+unsubscribe@googlegroups.com <javascript:;>.
> > > For more options, visit this group at
> > >http://groups.google.com/group/puppet-users?hl=en.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Thu, May 24, 2012 at 7:41 AM, Shiva
<shivaraman.ramadoss@gmail.com>wrote:
> Jeff
>
> Have you been able to identify the fix.. I am kinda stuck and havent
> been able to move forward with this..
>
I haven''t yet.  I''ll be in IRC today and will look at this
right now.  I''m
jmccune on freenode, please ping me there and we can work on this a bit
more.

-Jeff

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Tue, May 22, 2012 at 6:58 AM, Shiva
<shivaraman.ramadoss@gmail.com>wrote:
> I am installing puppet enterprise manager (master) on a RHEL box.
> Though the install itself succeeds without any issues, the first run
> of puppet when it tries to deploy the pe_mcollective module fails with
> the following error.
>
> Message:
> change from notrun to 0 failed: sh -c ''umask 077; keytool -
> importkeystore -deststorepass puppet -destkeypass puppet -destkeystore
> broker.ks -srckeystore broker.p12 -srcstorepass puppet -srcstoretype
> PKCS12 -alias puppet-master.xyz.com'' returned 1 instead of one of
[0]
> at /opt/puppet/share/puppet/modules/pe_mcollective/manifests/posix.pp:
> 138
>
OK, I dove into this and I think it might be caused by a difference in
behavior between Java on CentOS and Java on RHEL.  The keytool command
Puppet is executing returns 0 on CentOS 6.2 but this doesn''t guarantee
the
behavior is the same with RHEL 6.2.

Could you let me know what /usr/bin/keytool is using ls -l?  If it''s a
symbolic link, can you follow it and let me know where it ends up?
 Finally, could you run rpm -qf on the resulting file?  (for me on CentOS
6.2 it ultimately links to /usr/lib/jvm/jre-1.6.0-openjdk/bin/keytool owned
by java-1.6.0-openjdk-1.6.0.0-1.43.1.10.6.el6_2.i686

-Jeff

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

<br><br><span style="font-family:Prelude, Verdana,
san-serif;"><br><br></span><span
id="signature"><div style="font-family: arial, sans-serif;
font-size: 12px;color: #999999;">-- Sent from my HP
Veer</div><br></span><span style="color:navy;
font-family:Prelude, Verdana, san-serif; "><hr align="left"
style="width:75%">On May 24, 2012 17:21, Jeff McCune
&lt;jeff@puppetlabs.com&gt; wrote: <br><br></span>On
Tue, May 22, 2012 at 6:58 AM, Shiva <span
dir="ltr">&lt;<a
href="mailto:shivaraman.ramadoss@gmail.com"
target="_blank">shivaraman.ramadoss@gmail.com</a>&gt;</span>
wrote:<br><div class="gmail_quote"><blockquote
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">

I am installing puppet enterprise manager (master) on a RHEL box.<br>
Though the install itself succeeds without any issues, the first run<br>
of puppet when it tries to deploy the pe_mcollective module fails with<br>
the following error.<br>
<br>
Message:<br>
change from notrun to 0 failed: sh -c &#39;umask 077; keytool -<br>
importkeystore -deststorepass puppet -destkeypass puppet -destkeystore<br>
broker.ks -srckeystore broker.p12 -srcstorepass puppet -srcstoretype<br>
PKCS12 -alias <a href="http://puppet-master.xyz.com"
target="_blank">puppet-master.xyz.com</a>&#39; returned 1
instead of one of [0]<br>
at /opt/puppet/share/puppet/modules/pe_mcollective/manifests/posix.pp:<br>
138<br></blockquote><div><br></div><div>OK,
I dove into this and I think it might be caused by a difference in behavior
between Java on CentOS and Java on RHEL.  The keytool command Puppet is
executing returns 0 on CentOS 6.2 but this doesn&#39;t guarantee the
behavior is the same with RHEL 6.2.</div>

<div><br></div><div>Could you let me know what
/usr/bin/keytool is using ls -l?  If it&#39;s a symbolic link, can you
follow it and let me know where it ends up?  Finally, could you run rpm -qf on
the resulting file?  (for me on CentOS 6.2 it ultimately links to
/usr/lib/jvm/jre-1.6.0-openjdk/bin/keytool owned
by java-1.6.0-openjdk-1.6.0.0-1.43.1.10.6.el6_2.i686</div>

<div> </div><div>-Jeff</div></div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.<br />
To post to this group, send email to puppet-users@googlegroups.com.<br />
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.<br />

For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.<br />


<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.<br />
To post to this group, send email to puppet-users@googlegroups.com.<br />
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.<br />

For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.<br />

<br><br><span style="font-family:Prelude, Verdana,
san-serif;"><br><br></span><span
id="signature"><div style="font-family: arial, sans-serif;
font-size: 12px;color: #999999;">-- Sent from my HP
Veer</div><br></span><span style="color:navy;
font-family:Prelude, Verdana, san-serif; "><hr align="left"
style="width:75%">On May 24, 2012 17:21, Jeff McCune
&lt;jeff@puppetlabs.com&gt; wrote: <br><br></span>On
Tue, May 22, 2012 at 6:58 AM, Shiva <span
dir="ltr">&lt;<a
href="mailto:shivaraman.ramadoss@gmail.com"
target="_blank">shivaraman.ramadoss@gmail.com</a>&gt;</span>
wrote:<br><div class="gmail_quote"><blockquote
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">

I am installing puppet enterprise manager (master) on a RHEL box.<br>
Though the install itself succeeds without any issues, the first run<br>
of puppet when it tries to deploy the pe_mcollective module fails with<br>
the following error.<br>
<br>
Message:<br>
change from notrun to 0 failed: sh -c &#39;umask 077; keytool -<br>
importkeystore -deststorepass puppet -destkeypass puppet -destkeystore<br>
broker.ks -srckeystore broker.p12 -srcstorepass puppet -srcstoretype<br>
PKCS12 -alias <a href="http://puppet-master.xyz.com"
target="_blank">puppet-master.xyz.com</a>&#39; returned 1
instead of one of [0]<br>
at /opt/puppet/share/puppet/modules/pe_mcollective/manifests/posix.pp:<br>
138<br></blockquote><div><br></div><div>OK,
I dove into this and I think it might be caused by a difference in behavior
between Java on CentOS and Java on RHEL.  The keytool command Puppet is
executing returns 0 on CentOS 6.2 but this doesn&#39;t guarantee the
behavior is the same with RHEL 6.2.</div>

<div><br></div><div>Could you let me know what
/usr/bin/keytool is using ls -l?  If it&#39;s a symbolic link, can you
follow it and let me know where it ends up?  Finally, could you run rpm -qf on
the resulting file?  (for me on CentOS 6.2 it ultimately links to
/usr/lib/jvm/jre-1.6.0-openjdk/bin/keytool owned
by java-1.6.0-openjdk-1.6.0.0-1.43.1.10.6.el6_2.i686</div>

<div> </div><div>-Jeff</div></div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.<br />
To post to this group, send email to puppet-users@googlegroups.com.<br />
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.<br />

For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.<br />


<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.<br />
To post to this group, send email to puppet-users@googlegroups.com.<br />
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.<br />

For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.<br />

Jeff

This is where the keytool is

lrwxrwxrwx. 1 root root 49 Apr 27 08:18 keytool -> /usr/lib/jvm/
jre-1.6.0-openjdk.x86_64/bin/keytool

Thanks
Shiva

On May 24, 6:47 pm, <robert.vanvee...@gmail.com>
wrote:
> -- Sent from my HP VeerOn May 24, 2012 17:21, Jeff McCune
<jeff@puppetlabs.com> wrote:On Tue, May 22, 2012 at 6:58 AM,
Shiva<shivaraman.ramadoss@gmail.com>wrote:I am installing puppet
enterprise manager (master) on a RHEL box.
> Though the install itself succeeds without any issues, the first run
> of puppet when it tries to deploy the pe_mcollective module fails with
> the following error.
> Message:
> change from notrun to 0 failed: sh -c ''umask 077; keytool -
> importkeystore -deststorepass puppet -destkeypass puppet -destkeystore
> broker.ks -srckeystore broker.p12 -srcstorepass puppet -srcstoretype
> PKCS12 -aliaspuppet-master.xyz.com'' returned 1 instead of one of
[0]
> at /opt/puppet/share/puppet/modules/pe_mcollective/manifests/posix.pp:
> 138
>
> OK, I dove into this and I think it might be caused by a difference in
behavior between Java on CentOS and Java on RHEL.  The keytool command Puppet is
executing returns 0 on CentOS 6.2 but this doesn''t guarantee the
behavior is the same with RHEL 6.2.
>
>
>
> Could you let me know what /usr/bin/keytool is using ls -l?  If
it''s a symbolic link, can you follow it and let me know where it ends
up?  Finally, could you run rpm -qf on the resulting file?  (for me on CentOS
6.2 it ultimately links to /usr/lib/jvm/jre-1.6.0-openjdk/bin/keytool owned
by java-1.6.0-openjdk-1.6.0.0-1.43.1.10.6.el6_2.i686
>
>
>
> -Jeff
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Tue, May 29, 2012 at 6:19 AM, Shiva
<shivaraman.ramadoss@gmail.com>wrote:
> Jeff
>
> This is where the keytool is
>
> lrwxrwxrwx. 1 root root 49 Apr 27 08:18 keytool -> /usr/lib/jvm/
> jre-1.6.0-openjdk.x86_64/bin/keytool
>
That looks correct.

What version of the package do you have installed?  You can check using:
rpm -qf /usr/lib/jvm/jre-1.6.0-openjdk/bin/keytool

(Please paste the full line printed on the output.  Package versions get
pretty specific.)

Cheers,
-Jeff

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Here you go..

 rpm -qf /usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/keytool
java-1.6.0-openjdk-1.6.0.0-1.41.1.10.4.el6.x86_64


On May 29, 4:39 pm, Jeff McCune <j...@puppetlabs.com>
wrote:
> On Tue, May 29, 2012 at 6:19 AM, Shiva
<shivaraman.ramad...@gmail.com>wrote:
>
> > Jeff
>
> > This is where the keytool is
>
> > lrwxrwxrwx. 1 root root 49 Apr 27 08:18 keytool -> /usr/lib/jvm/
> > jre-1.6.0-openjdk.x86_64/bin/keytool
>
> That looks correct.
>
> What version of the package do you have installed?  You can check using:
> rpm -qf /usr/lib/jvm/jre-1.6.0-openjdk/bin/keytool
>
> (Please paste the full line printed on the output.  Package versions get
> pretty specific.)
>
> Cheers,
> -Jeff
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Tue, May 22, 2012 at 6:58 AM, Shiva <shivaraman.ramadoss@gmail.com>
wrote:
> I am installing puppet enterprise manager (master) on a RHEL box.
> Though the install itself succeeds without any issues, the first run
> of puppet when it tries to deploy the pe_mcollective module fails with
> the following error.
>
> Message:
> change from notrun to 0 failed: sh -c ''umask 077; keytool -
> importkeystore -deststorepass puppet -destkeypass puppet -destkeystore
> broker.ks -srckeystore broker.p12 -srcstorepass puppet -srcstoretype
> PKCS12 -alias puppet-master.xyz.com'' returned 1 instead of one of
[0]
> at /opt/puppet/share/puppet/modules/pe_mcollective/manifests/posix.pp:
> 138
For posterity, Shiva, Gary and I worked on this issue this afternoon
and found the root cause to be a problem with the fqdn fact and the
return value of the puppet cert command.

The fqdn fact was returning the empty string, which caused the
manifest to execute this command:

puppet cert --generate pe-internal-broker --dns_alt_names
''${pe_mcollective::stomp_server},${::fqdn},stomp''

Since $fqdn is the empty string, two consecutive commas were passed to
the dns_alt_names option.  This, in turn caused puppet cert to fail
with an argument error.  Even though it failed, the command returns an
exit status of 0 (which is a bug in Puppet).  This caused Puppet to
think the command executed successfully and proceeded to try and
convert the PEM files into PKCS12 files.

So, even though the keytool command was failing the root cause was
actually the fqdn fact being empty.

If anyone else runs into this, chance if `facter fqdn` returns what
you expect.  If it doesn''t print anything out this may be the cause of
this error.

The solution was do add the line `domain foo.bar.com` to
/etc/resolv.conf which then caused `facter fqdn` to return the
expected value.

Hope this helps,
-Jeff

(Now to go fix puppet cert and facter fqdn ...)

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.