Brendan Murtagh
2013-Jan-29 21:49 UTC
[Puppet Users] Questions/Concerns Related to Changing Console DB Password
Hello, I ran into an issue today as I began to transition into a production environment from my Puppet testbed. I am using Puppet Enterprise 2.7 for Ubuntu (x64) and ran through the Installer and configured the Console, Cloud Provisioner, and Master on the same box. This all went well. I then began setting up agent1 for testing and after installing PE, updating the environment in the agent''s puppet.conf, signing the agent''s cert, I tried to do a puppet agent -td. This failed with the error: *err: Could not retrieve catalog from remote server: Error 400 on SERVER: Access denied for user ''console''@''localhost'' (using password: YES)* During the Installer I was never prompted to enter the password for the Console user so initially I was stuck. I visited IRC and Ancillas and I went back and forth trying to figure out the cause. We viewed the passwords in /etc/puppetlabs/puppet/puppet.conf and /etc/puppetlabs/puppet-dashboard/database.yml but both are encrypted. I was going to attempt a reinstall of the Master, but then I found http://docs.puppetlabs.com/pe/2.0/maint_reconfiguring.html#changing-the-consoles-database-userpassword I followed the steps and everything worked like a charm. My main questions piggy-back one another... 1. What type of encryption/hash is used to initially write the password to those files? Can it be decrypted? 2. I''d prefer to store the db password in an encrypted fashion, is there a way to do this from within Puppet? I assume I could use a MySQL Administration and view the MySQL Users and copy that, but that seems excessive. Thanks, Brendan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Matthaus Owens
2013-Jan-29 23:01 UTC
Re: [Puppet Users] Questions/Concerns Related to Changing Console DB Password
I''m CCing the pe-users list as this is a Puppet Enterprise specific question. The passwords in puppet.conf and database.yml are not encrypted, those are the passwords (they are also stored in the answers file in the installer directory and in /etc/puppetlabs/installer/database_info.install). To store the db password encrypted, you could use hiera-gpg [1][2], or a custom function of your own design. HTH [1] - http://www.craigdunn.org/2011/10/secret-variables-in-puppet-with-hiera-and-gpg/ [2] - https://rubygems.org/gems/hiera-gpg On Tue, Jan 29, 2013 at 1:49 PM, Brendan Murtagh <brendan.r.murtagh@gmail.com> wrote:> Hello, > > I ran into an issue today as I began to transition into a production > environment from my Puppet testbed. I am using Puppet Enterprise 2.7 for > Ubuntu (x64) and ran through the Installer and configured the Console, Cloud > Provisioner, and Master on the same box. This all went well. I then began > setting up agent1 for testing and after installing PE, updating the > environment in the agent''s puppet.conf, signing the agent''s cert, I tried to > do a puppet agent -td. This failed with the error: > > err: Could not retrieve catalog from remote server: Error 400 on SERVER: > Access denied for user ''console''@''localhost'' (using password: YES) > > During the Installer I was never prompted to enter the password for the > Console user so initially I was stuck. > > I visited IRC and Ancillas and I went back and forth trying to figure out > the cause. We viewed the passwords in /etc/puppetlabs/puppet/puppet.conf and > /etc/puppetlabs/puppet-dashboard/database.yml but both are encrypted. I was > going to attempt a reinstall of the Master, but then I found > http://docs.puppetlabs.com/pe/2.0/maint_reconfiguring.html#changing-the-consoles-database-userpassword > I followed the steps and everything worked like a charm. > > My main questions piggy-back one another... > > 1. What type of encryption/hash is used to initially write the password to > those files? Can it be decrypted? > > 2. I''d prefer to store the db password in an encrypted fashion, is there a > way to do this from within Puppet? I assume I could use a MySQL > Administration and view the MySQL Users and copy that, but that seems > excessive. > > Thanks, > > Brendan > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscribe@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > >-- Matthaus Owens Release Manager, Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
pdiddy
2013-May-17 18:00 UTC
[Puppet Users] Re: Questions/Concerns Related to Changing Console DB Password
I did follow below mentioned link, however i''m still getting the same error while restoring the database... puppet-dashboard@lxpuppet:~$ rake RAILS_ENV=production FILE=/serversoftware/yum/puppet-db.sql db:raw:restore --trace (in /opt/puppet/share/puppet-dashboard) ** Invoke db:raw:restore (first_time) ** Execute db:raw:restore mysql --user=console --password=Kds03AcW0Y1IjMyt9717 console < /serversoftware/yum/puppet-db.sql ERROR 1045 (28000): Access denied for user ''console''@''localhost'' (using password: YES) rake aborted! Command failed with status (1): [mysql --user=console --password=Kds03AcW0Y...] /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:994:in `sh'' /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:1009:in `call'' /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:1009:in `sh'' /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:1093:in `sh'' /opt/puppet/share/puppet-dashboard/lib/tasks/db_raw.rake:43 /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:635:in `call'' /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:635:in `execute'' /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:630:in `each'' /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:630:in `execute'' /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:596:in `invoke_with_call_chain'' /opt/puppet/lib/ruby/1.8/monitor.rb:242:in `synchronize'' /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:589:in `invoke_with_call_chain'' /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:582:in `invoke'' /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2050:in `invoke_task'' /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2028:in `top_level'' /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2028:in `each'' /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2028:in `top_level'' /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2067:in `standard_exception_handling'' /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2022:in `top_level'' /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2000:in `run'' /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2067:in `standard_exception_handling'' /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:1997:in `run'' /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/bin/rake:31 /opt/puppet/bin/rake:19:in `load'' /opt/puppet/bin/rake:19 I used below command to export the db rake RAILS_ENV=production FILE=/serversoftware/yum/puppet-db.sql db:raw:dump Please help me resolve the issue... ---- On Tuesday, January 29, 2013 4:49:28 PM UTC-5, Brendan Murtagh wrote:> > Hello, > > I ran into an issue today as I began to transition into a production > environment from my Puppet testbed. I am using Puppet Enterprise 2.7 for > Ubuntu (x64) and ran through the Installer and configured the Console, > Cloud Provisioner, and Master on the same box. This all went well. I then > began setting up agent1 for testing and after installing PE, updating the > environment in the agent''s puppet.conf, signing the agent''s cert, I tried > to do a puppet agent -td. This failed with the error: > > *err: Could not retrieve catalog from remote server: Error 400 on SERVER: > Access denied for user ''console''@''localhost'' (using password: YES)* > > During the Installer I was never prompted to enter the password for the > Console user so initially I was stuck. > > I visited IRC and Ancillas and I went back and forth trying to figure out > the cause. We viewed the passwords in /etc/puppetlabs/puppet/puppet.conf > and /etc/puppetlabs/puppet-dashboard/database.yml but both are encrypted. I > was going to attempt a reinstall of the Master, but then I found > http://docs.puppetlabs.com/pe/2.0/maint_reconfiguring.html#changing-the-consoles-database-userpasswordI followed the steps and everything worked like a charm. > > My main questions piggy-back one another... > > 1. What type of encryption/hash is used to initially write the password to > those files? Can it be decrypted? > > 2. I''d prefer to store the db password in an encrypted fashion, is there a > way to do this from within Puppet? I assume I could use a MySQL > Administration and view the MySQL Users and copy that, but that seems > excessive. > > Thanks, > > Brendan > > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Parag Darji
2013-May-17 18:42 UTC
Re: [Puppet Users] Re: Questions/Concerns Related to Changing Console DB Password
Actually before taking the db dump i ran "rm -rf /var/lib/mysql/*... It looks like this may have messed it up... On Fri, May 17, 2013 at 2:00 PM, pdiddy <dparag@gmail.com> wrote:> I did follow below mentioned link, however i''m still getting the same > error while restoring the database... > > puppet-dashboard@lxpuppet:~$ rake RAILS_ENV=production > FILE=/serversoftware/yum/puppet-db.sql db:raw:restore --trace > (in /opt/puppet/share/puppet-dashboard) > ** Invoke db:raw:restore (first_time) > ** Execute db:raw:restore > mysql --user=console --password=Kds03AcW0Y1IjMyt9717 console < > /serversoftware/yum/puppet-db.sql > ERROR 1045 (28000): Access denied for user ''console''@''localhost'' (using > password: YES) > rake aborted! > Command failed with status (1): [mysql --user=console > --password=Kds03AcW0Y...] > /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:994:in `sh'' > /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:1009:in `call'' > /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:1009:in `sh'' > /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:1093:in `sh'' > /opt/puppet/share/puppet-dashboard/lib/tasks/db_raw.rake:43 > /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:635:in `call'' > /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:635:in `execute'' > /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:630:in `each'' > /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:630:in `execute'' > /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:596:in > `invoke_with_call_chain'' > /opt/puppet/lib/ruby/1.8/monitor.rb:242:in `synchronize'' > /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:589:in > `invoke_with_call_chain'' > /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:582:in `invoke'' > /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2050:in > `invoke_task'' > /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2028:in > `top_level'' > /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2028:in `each'' > /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2028:in > `top_level'' > /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2067:in > `standard_exception_handling'' > /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2022:in > `top_level'' > /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2000:in `run'' > /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:2067:in > `standard_exception_handling'' > /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/lib/rake.rb:1997:in `run'' > /opt/puppet/lib/ruby/gems/1.8/gems/rake-0.8.7/bin/rake:31 > /opt/puppet/bin/rake:19:in `load'' > /opt/puppet/bin/rake:19 > > I used below command to export the db > rake RAILS_ENV=production FILE=/serversoftware/yum/puppet-db.sql > db:raw:dump > > Please help me resolve the issue... > ---- > > > > On Tuesday, January 29, 2013 4:49:28 PM UTC-5, Brendan Murtagh wrote: >> >> Hello, >> >> I ran into an issue today as I began to transition into a production >> environment from my Puppet testbed. I am using Puppet Enterprise 2.7 for >> Ubuntu (x64) and ran through the Installer and configured the Console, >> Cloud Provisioner, and Master on the same box. This all went well. I then >> began setting up agent1 for testing and after installing PE, updating the >> environment in the agent''s puppet.conf, signing the agent''s cert, I tried >> to do a puppet agent -td. This failed with the error: >> >> *err: Could not retrieve catalog from remote server: Error 400 on >> SERVER: Access denied for user ''console''@''localhost'' (using password: >> YES)* >> >> During the Installer I was never prompted to enter the password for the >> Console user so initially I was stuck. >> >> I visited IRC and Ancillas and I went back and forth trying to figure out >> the cause. We viewed the passwords in /etc/puppetlabs/puppet/puppet.**conf >> and /etc/puppetlabs/puppet-**dashboard/database.yml but both are >> encrypted. I was going to attempt a reinstall of the Master, but then I >> found http://docs.puppetlabs.com/pe/**2.0/maint_reconfiguring.html#** >> changing-the-consoles-**database-userpassword<http://docs.puppetlabs.com/pe/2.0/maint_reconfiguring.html#changing-the-consoles-database-userpassword>I followed the steps and everything worked like a charm. >> >> My main questions piggy-back one another... >> >> 1. What type of encryption/hash is used to initially write the password >> to those files? Can it be decrypted? >> >> 2. I''d prefer to store the db password in an encrypted fashion, is there >> a way to do this from within Puppet? I assume I could use a MySQL >> Administration and view the MySQL Users and copy that, but that seems >> excessive. >> >> Thanks, >> >> Brendan >> >> >> -- > You received this message because you are subscribed to a topic in the > Google Groups "Puppet Users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/puppet-users/66_eLqMr2zE/unsubscribe?hl=en > . > To unsubscribe from this group and all its topics, send an email to > puppet-users+unsubscribe@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > >-- ------------------------------------- Thanks Parag Darji -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.