Piotr Jasiulewicz
2013-Jul-12 16:44 UTC
[Puppet Users] Permission problem on puppet master
Hi, having some problems running puppet: root@puppet:/etc# puppet master --debug --verbose --no-daemonize debug: Failed to load library ''selinux'' for feature ''selinux'' debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does not exist debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does not exist debug: Puppet::Type::User::ProviderPw: file pw does not exist debug: Puppet::Type::User::ProviderLdap: true value when expecting false debug: Failed to load library ''ldap'' for feature ''ldap'' debug: /File[/var/lib/puppet/reports]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/var/lib/puppet/ssl/certs] debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/run/puppet/master.pid]: Autorequiring File[/var/run/puppet] debug: /File[/etc/puppet/manifests/site.pp]: Autorequiring File[/etc/puppet/manifests] debug: /File[/etc/puppet/auth.conf]: Autorequiring File[/etc/puppet] debug: /File[/etc/puppet/fileserver.conf]: Autorequiring File[/etc/puppet] debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/crl.pem]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/bucket]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet] debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet] debug: /File[/var/lib/puppet/server_data]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet] debug: /File[/etc/puppet/manifests]: Autorequiring File[/etc/puppet] debug: /File[/var/lib/puppet/yaml]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/rrd]: Autorequiring File[/var/lib/puppet] debug: /File[/var/log/puppet/masterhttp.log]: Autorequiring File[/var/log/puppet] debug: Finishing transaction 70230043318440 debug: /File[/var/lib/puppet/ssl/ca/private]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/signed]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/ca_pub.pem]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/private/ca.pass]: Autorequiring File[/var/lib/puppet/ssl/ca/private] debug: /File[/var/lib/puppet/ssl/ca/serial]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/inventory.txt]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/ca_crl.pem]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/requests]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/ca_key.pem]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/ca_crt.pem]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: Finishing transaction 70230042058100 debug: Using cached certificate for ca info: Creating a new SSL key for puppet.sherstondevelopments.co.uk Could not run: Could not write /var/lib/puppet/ssl/private_keys/puppet.sherstondevelopments.co.uk.pem to privatekeydir: Permission denied - /var/lib/puppet/ssl/private_keys/puppet.sherstondevelopments.co.uk.pem Any clues anyone? The permissions of the file seam to change whenever I run this:/ Cheers, Piotr -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Piotr Jasiulewicz
2013-Jul-15 11:36 UTC
[Puppet Users] Re: Permission problem on puppet master
Hi, just bumping this, still looking and still have a problem, anyone any clues? Thanks, Piotr W dniu piątek, 12 lipca 2013 17:44:41 UTC+1 użytkownik Piotr Jasiulewicz napisał:> > Hi, > > having some problems running puppet: > > root@puppet:/etc# puppet master --debug --verbose --no-daemonize > debug: Failed to load library ''selinux'' for feature ''selinux'' > debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does not > exist > debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl > does not exist > debug: Puppet::Type::User::ProviderPw: file pw does not exist > debug: Puppet::Type::User::ProviderLdap: true value when expecting false > debug: Failed to load library ''ldap'' for feature ''ldap'' > debug: /File[/var/lib/puppet/reports]: Autorequiring File[/var/lib/puppet] > debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring > File[/var/lib/puppet/ssl/certs] > debug: /File[/var/lib/puppet/ssl/private]: Autorequiring > File[/var/lib/puppet/ssl] > debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring > File[/var/lib/puppet/ssl] > debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring > File[/var/lib/puppet/ssl] > debug: /File[/var/run/puppet/master.pid]: Autorequiring > File[/var/run/puppet] > debug: /File[/etc/puppet/manifests/site.pp]: Autorequiring > File[/etc/puppet/manifests] > debug: /File[/etc/puppet/auth.conf]: Autorequiring File[/etc/puppet] > debug: /File[/etc/puppet/fileserver.conf]: Autorequiring File[/etc/puppet] > debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring > File[/var/lib/puppet/ssl] > debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring > File[/var/lib/puppet/ssl] > debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet] > debug: /File[/var/lib/puppet/ssl/crl.pem]: Autorequiring > File[/var/lib/puppet/ssl] > debug: /File[/var/lib/puppet/bucket]: Autorequiring File[/var/lib/puppet] > debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet] > debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet] > debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet] > debug: /File[/var/lib/puppet/server_data]: Autorequiring > File[/var/lib/puppet] > debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet] > debug: /File[/etc/puppet/manifests]: Autorequiring File[/etc/puppet] > debug: /File[/var/lib/puppet/yaml]: Autorequiring File[/var/lib/puppet] > debug: /File[/var/lib/puppet/rrd]: Autorequiring File[/var/lib/puppet] > debug: /File[/var/log/puppet/masterhttp.log]: Autorequiring > File[/var/log/puppet] > debug: Finishing transaction 70230043318440 > debug: /File[/var/lib/puppet/ssl/ca/private]: Autorequiring > File[/var/lib/puppet/ssl/ca] > debug: /File[/var/lib/puppet/ssl/ca/signed]: Autorequiring > File[/var/lib/puppet/ssl/ca] > debug: /File[/var/lib/puppet/ssl/ca/ca_pub.pem]: Autorequiring > File[/var/lib/puppet/ssl/ca] > debug: /File[/var/lib/puppet/ssl/ca/private/ca.pass]: Autorequiring > File[/var/lib/puppet/ssl/ca/private] > debug: /File[/var/lib/puppet/ssl/ca/serial]: Autorequiring > File[/var/lib/puppet/ssl/ca] > debug: /File[/var/lib/puppet/ssl/ca/inventory.txt]: Autorequiring > File[/var/lib/puppet/ssl/ca] > debug: /File[/var/lib/puppet/ssl/ca/ca_crl.pem]: Autorequiring > File[/var/lib/puppet/ssl/ca] > debug: /File[/var/lib/puppet/ssl/ca/requests]: Autorequiring > File[/var/lib/puppet/ssl/ca] > debug: /File[/var/lib/puppet/ssl/ca/ca_key.pem]: Autorequiring > File[/var/lib/puppet/ssl/ca] > debug: /File[/var/lib/puppet/ssl/ca/ca_crt.pem]: Autorequiring > File[/var/lib/puppet/ssl/ca] > debug: Finishing transaction 70230042058100 > debug: Using cached certificate for ca > info: Creating a new SSL key for puppet.sherstondevelopments.co.uk > Could not run: Could not write > /var/lib/puppet/ssl/private_keys/puppet.sherstondevelopments.co.uk.pem to > privatekeydir: Permission denied - > /var/lib/puppet/ssl/private_keys/puppet.sherstondevelopments.co.uk.pem > > > Any clues anyone? The permissions of the file seam to change whenever I > run this:/ > > Cheers, > Piotr > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
On Monday, July 15, 2013 6:36:37 AM UTC-5, Piotr Jasiulewicz wrote:> > Hi, > > just bumping this, still looking and still have a problem, anyone any > clues? > > Thanks, > Piotr > > W dniu piątek, 12 lipca 2013 17:44:41 UTC+1 użytkownik Piotr Jasiulewicz > napisał: >> >> Hi, >> >> having some problems running puppet: >> >> root@puppet:/etc# puppet master --debug --verbose --no-daemonize >> debug: Failed to load library ''selinux'' for feature ''selinux'' >> debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does not >> exist >> debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl >> does not exist >> debug: Puppet::Type::User::ProviderPw: file pw does not exist >> debug: Puppet::Type::User::ProviderLdap: true value when expecting false >> debug: Failed to load library ''ldap'' for feature ''ldap'' >> debug: /File[/var/lib/puppet/reports]: Autorequiring File[/var/lib/puppet] >> debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring >> File[/var/lib/puppet/ssl/certs] >> debug: /File[/var/lib/puppet/ssl/private]: Autorequiring >> File[/var/lib/puppet/ssl] >> debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring >> File[/var/lib/puppet/ssl] >> debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring >> File[/var/lib/puppet/ssl] >> debug: /File[/var/run/puppet/master.pid]: Autorequiring >> File[/var/run/puppet] >> debug: /File[/etc/puppet/manifests/site.pp]: Autorequiring >> File[/etc/puppet/manifests] >> debug: /File[/etc/puppet/auth.conf]: Autorequiring File[/etc/puppet] >> debug: /File[/etc/puppet/fileserver.conf]: Autorequiring File[/etc/puppet] >> debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring >> File[/var/lib/puppet/ssl] >> debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring >> File[/var/lib/puppet/ssl] >> debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet] >> debug: /File[/var/lib/puppet/ssl/crl.pem]: Autorequiring >> File[/var/lib/puppet/ssl] >> debug: /File[/var/lib/puppet/bucket]: Autorequiring File[/var/lib/puppet] >> debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet] >> debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet] >> debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet] >> debug: /File[/var/lib/puppet/server_data]: Autorequiring >> File[/var/lib/puppet] >> debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet] >> debug: /File[/etc/puppet/manifests]: Autorequiring File[/etc/puppet] >> debug: /File[/var/lib/puppet/yaml]: Autorequiring File[/var/lib/puppet] >> debug: /File[/var/lib/puppet/rrd]: Autorequiring File[/var/lib/puppet] >> debug: /File[/var/log/puppet/masterhttp.log]: Autorequiring >> File[/var/log/puppet] >> debug: Finishing transaction 70230043318440 >> debug: /File[/var/lib/puppet/ssl/ca/private]: Autorequiring >> File[/var/lib/puppet/ssl/ca] >> debug: /File[/var/lib/puppet/ssl/ca/signed]: Autorequiring >> File[/var/lib/puppet/ssl/ca] >> debug: /File[/var/lib/puppet/ssl/ca/ca_pub.pem]: Autorequiring >> File[/var/lib/puppet/ssl/ca] >> debug: /File[/var/lib/puppet/ssl/ca/private/ca.pass]: Autorequiring >> File[/var/lib/puppet/ssl/ca/private] >> debug: /File[/var/lib/puppet/ssl/ca/serial]: Autorequiring >> File[/var/lib/puppet/ssl/ca] >> debug: /File[/var/lib/puppet/ssl/ca/inventory.txt]: Autorequiring >> File[/var/lib/puppet/ssl/ca] >> debug: /File[/var/lib/puppet/ssl/ca/ca_crl.pem]: Autorequiring >> File[/var/lib/puppet/ssl/ca] >> debug: /File[/var/lib/puppet/ssl/ca/requests]: Autorequiring >> File[/var/lib/puppet/ssl/ca] >> debug: /File[/var/lib/puppet/ssl/ca/ca_key.pem]: Autorequiring >> File[/var/lib/puppet/ssl/ca] >> debug: /File[/var/lib/puppet/ssl/ca/ca_crt.pem]: Autorequiring >> File[/var/lib/puppet/ssl/ca] >> debug: Finishing transaction 70230042058100 >> debug: Using cached certificate for ca >> info: Creating a new SSL key for puppet.sherstondevelopments.co.uk >> Could not run: Could not write >> /var/lib/puppet/ssl/private_keys/puppet.sherstondevelopments.co.uk.pem to >> privatekeydir: Permission denied - >> /var/lib/puppet/ssl/private_keys/puppet.sherstondevelopments.co.uk.pem >> >> >> Any clues anyone? The permissions of the file seam to change whenever I >> run this:/ >> >> Cheers, >> Piotr >> >>First off, the master does not need to run as a privileged user (e.g. root), as your transcript shows you doing. Since it does not need to run with privilege, good security practices dictate that it *not* run with privilege. I can imagine you saying that reducing process privileges is a move in the wrong direction when you are faced with a permissions problem, but in this case it is absolutely the right thing to do. You need to get the master working for the way you want it to run, so you should test that way. If you installed Puppet via a package (RPM, DEB, etc.) then it probably set up an unprivileged user account for you, likely named "puppet" or something similar. Does the master fail the same way if you launch it as that user? sudo -u puppet puppet master --debug --verbose --no-daemonize And also when you launch it via your distro''s service management tools? service puppetmaster start (or similar). You might find that it does not. Inasmuch as puppet fails with a permission error when running from a privileged account, there must be more at play than just ordinary discretionary access controls. SELinux running in enforcing mode, for example, could allow the master to run correctly when launched by the service manager, but cause permission denials such as you observed when the master is launched directly from a root shell. Alternatively, if the target file is on a file system mounted read-only, then even root will be unable to modify its contents. Or if the target file is on a network file system such as NFS, then the local root user may actually have less permission for its contents than some or all ordinary users. I hope that gives you a nudge in the right direction. If it is needed, we may be able to render further assistance once you have narrowed down the cause of the permission denial. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Piotr Jasiulewicz
2013-Jul-16 16:41 UTC
[Puppet Users] Re: Permission problem on puppet master
Hi John, thanks for your answer, lunching via service was the first thing I tried (which also produces the same error). The linux is Ubuntu 13.X The startup: root@puppet:/etc/puppet# service puppetmaster start * Starting puppet master Could not run: Could not write /var/lib/puppet/ssl/private_keys/puppet.sherstondevelopments.co.uk.pem to privatekeydir: Permission denied - /var/lib/puppet/ssl/private_keys/puppet.sherstondevelopments.co.uk.pem The directory: root@puppet:/etc/puppet# ls -la /var/lib/puppet/ssl/private_keys/ total 8 drwxr-x--- 2 puppet root 4096 Jul 12 12:27 . drwxrwx--x 8 puppet puppet 4096 Jun 25 12:54 .. The script: root@puppet:/etc/puppet# cat /etc/init.d/puppetmaster #! /bin/sh ### BEGIN INIT INFO # Provides: puppetmaster # Required-Start: $network $named $remote_fs $syslog # Required-Stop: $network $named $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: puppet master # Description: The puppet master accepts connections from puppet agents, # compiles manifests into catalogs for them, acts as a file # server and report server. ### END INIT INFO PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin DAEMON=/usr/bin/puppet DAEMON_OPTS="" NAME=master DESC="puppet master" test -x $DAEMON || exit 0 [ -r /etc/default/puppetmaster ] && . /etc/default/puppetmaster . /lib/lsb/init-functions if [ ! -d /var/run/puppet ]; then mkdir -p /var/run/puppet fi chown puppet:puppet /var/run/puppet is_true() { if [ "x$1" = "xtrue" -o "x$1" = "xyes" -o "x$1" = "x0" ] ; then return 0 else return 1 fi } start_puppet_master() { if is_true "$START" ; then start-stop-daemon --start --pidfile /var/run/puppet/${NAME}.pid \ --startas $DAEMON -- $NAME $DAEMON_OPTS else echo "" echo "puppetmaster not configured to start, please edit /etc/default/puppetmaster to enable" fi } stop_puppet_master() { start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/puppet/${NAME}.pid } status_puppet_master() { status_of_proc -p "/var/run/puppet/${NAME}.pid" "${DAEMON}" "${NAME}" } case "$1" in start) log_begin_msg "Starting $DESC" start_puppet_master log_end_msg $? ;; stop) log_begin_msg "Stopping $DESC" stop_puppet_master log_end_msg $? ;; reload) # Do nothing, as Puppetmaster rechecks its config automatically ;; status) status_puppet_master ;; restart|force-reload) log_begin_msg "Restarting $DESC" stop_puppet_master sleep 1 start_puppet_master log_end_msg $? ;; *) echo "Usage: $0 {start|stop|status|restart|force-reload}" >&2 exit 1 ;; esac Still dunno what to do:/ any clues? Thanks, Piotr The directory has all rights for puppet as the user, still could not get anywhere with that. W dniu wtorek, 16 lipca 2013 16:16:32 UTC+1 użytkownik jcbollinger napisał:> > > > On Monday, July 15, 2013 6:36:37 AM UTC-5, Piotr Jasiulewicz wrote: >> >> Hi, >> >> just bumping this, still looking and still have a problem, anyone any >> clues? >> >> Thanks, >> Piotr >> >> W dniu piątek, 12 lipca 2013 17:44:41 UTC+1 użytkownik Piotr Jasiulewicz >> napisał: >>> >>> Hi, >>> >>> having some problems running puppet: >>> >>> root@puppet:/etc# puppet master --debug --verbose --no-daemonize >>> debug: Failed to load library ''selinux'' for feature ''selinux'' >>> debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does not >>> exist >>> debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl >>> does not exist >>> debug: Puppet::Type::User::ProviderPw: file pw does not exist >>> debug: Puppet::Type::User::ProviderLdap: true value when expecting false >>> debug: Failed to load library ''ldap'' for feature ''ldap'' >>> debug: /File[/var/lib/puppet/reports]: Autorequiring >>> File[/var/lib/puppet] >>> debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring >>> File[/var/lib/puppet/ssl/certs] >>> debug: /File[/var/lib/puppet/ssl/private]: Autorequiring >>> File[/var/lib/puppet/ssl] >>> debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring >>> File[/var/lib/puppet/ssl] >>> debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring >>> File[/var/lib/puppet/ssl] >>> debug: /File[/var/run/puppet/master.pid]: Autorequiring >>> File[/var/run/puppet] >>> debug: /File[/etc/puppet/manifests/site.pp]: Autorequiring >>> File[/etc/puppet/manifests] >>> debug: /File[/etc/puppet/auth.conf]: Autorequiring File[/etc/puppet] >>> debug: /File[/etc/puppet/fileserver.conf]: Autorequiring >>> File[/etc/puppet] >>> debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring >>> File[/var/lib/puppet/ssl] >>> debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring >>> File[/var/lib/puppet/ssl] >>> debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet] >>> debug: /File[/var/lib/puppet/ssl/crl.pem]: Autorequiring >>> File[/var/lib/puppet/ssl] >>> debug: /File[/var/lib/puppet/bucket]: Autorequiring File[/var/lib/puppet] >>> debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet] >>> debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet] >>> debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet] >>> debug: /File[/var/lib/puppet/server_data]: Autorequiring >>> File[/var/lib/puppet] >>> debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet] >>> debug: /File[/etc/puppet/manifests]: Autorequiring File[/etc/puppet] >>> debug: /File[/var/lib/puppet/yaml]: Autorequiring File[/var/lib/puppet] >>> debug: /File[/var/lib/puppet/rrd]: Autorequiring File[/var/lib/puppet] >>> debug: /File[/var/log/puppet/masterhttp.log]: Autorequiring >>> File[/var/log/puppet] >>> debug: Finishing transaction 70230043318440 >>> debug: /File[/var/lib/puppet/ssl/ca/private]: Autorequiring >>> File[/var/lib/puppet/ssl/ca] >>> debug: /File[/var/lib/puppet/ssl/ca/signed]: Autorequiring >>> File[/var/lib/puppet/ssl/ca] >>> debug: /File[/var/lib/puppet/ssl/ca/ca_pub.pem]: Autorequiring >>> File[/var/lib/puppet/ssl/ca] >>> debug: /File[/var/lib/puppet/ssl/ca/private/ca.pass]: Autorequiring >>> File[/var/lib/puppet/ssl/ca/private] >>> debug: /File[/var/lib/puppet/ssl/ca/serial]: Autorequiring >>> File[/var/lib/puppet/ssl/ca] >>> debug: /File[/var/lib/puppet/ssl/ca/inventory.txt]: Autorequiring >>> File[/var/lib/puppet/ssl/ca] >>> debug: /File[/var/lib/puppet/ssl/ca/ca_crl.pem]: Autorequiring >>> File[/var/lib/puppet/ssl/ca] >>> debug: /File[/var/lib/puppet/ssl/ca/requests]: Autorequiring >>> File[/var/lib/puppet/ssl/ca] >>> debug: /File[/var/lib/puppet/ssl/ca/ca_key.pem]: Autorequiring >>> File[/var/lib/puppet/ssl/ca] >>> debug: /File[/var/lib/puppet/ssl/ca/ca_crt.pem]: Autorequiring >>> File[/var/lib/puppet/ssl/ca] >>> debug: Finishing transaction 70230042058100 >>> debug: Using cached certificate for ca >>> info: Creating a new SSL key for puppet.sherstondevelopments.co.uk >>> Could not run: Could not write >>> /var/lib/puppet/ssl/private_keys/puppet.sherstondevelopments.co.uk.pem to >>> privatekeydir: Permission denied - >>> /var/lib/puppet/ssl/private_keys/puppet.sherstondevelopments.co.uk.pem >>> >>> >>> Any clues anyone? The permissions of the file seam to change whenever I >>> run this:/ >>> >>> Cheers, >>> Piotr >>> >>> > > First off, the master does not need to run as a privileged user (e.g. > root), as your transcript shows you doing. Since it does not need to run > with privilege, good security practices dictate that it *not* run with > privilege. > > I can imagine you saying that reducing process privileges is a move in the > wrong direction when you are faced with a permissions problem, but in this > case it is absolutely the right thing to do. You need to get the master > working for the way you want it to run, so you should test that way. If > you installed Puppet via a package (RPM, DEB, etc.) then it probably set up > an unprivileged user account for you, likely named "puppet" or something > similar. Does the master fail the same way if you launch it as that user? > > sudo -u puppet puppet master --debug --verbose --no-daemonize > > And also when you launch it via your distro''s service management tools? > > service puppetmaster start > > (or similar). > > You might find that it does not. Inasmuch as puppet fails with a > permission error when running from a privileged account, there must be more > at play than just ordinary discretionary access controls. SELinux running > in enforcing mode, for example, could allow the master to run correctly > when launched by the service manager, but cause permission denials such as > you observed when the master is launched directly from a root shell. > > Alternatively, if the target file is on a file system mounted read-only, > then even root will be unable to modify its contents. Or if the target > file is on a network file system such as NFS, then the local root user may > actually have less permission for its contents than some or all ordinary > users. > > I hope that gives you a nudge in the right direction. If it is needed, we > may be able to render further assistance once you have narrowed down the > cause of the permission denial. > > > John > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
On Tuesday, July 16, 2013 11:41:12 AM UTC-5, Piotr Jasiulewicz wrote:> > Hi John, > > thanks for your answer, lunching via service was the first thing I tried > (which also produces the same error). > > The linux is Ubuntu 13.X > > The startup: > > root@puppet:/etc/puppet# service puppetmaster start > * Starting puppet master > > > Could not run: Could not write > /var/lib/puppet/ssl/private_keys/puppet.sherstondevelopments.co.uk.pem to > privatekeydir: Permission denied - > /var/lib/puppet/ssl/private_keys/puppet.sherstondevelopments.co.uk.pem > > > The directory: > > root@puppet:/etc/puppet# ls -la /var/lib/puppet/ssl/private_keys/ > total 8 > drwxr-x--- 2 puppet root 4096 Jul 12 12:27 . > drwxrwx--x 8 puppet puppet 4096 Jun 25 12:54 .. > > > > The script: > > root@puppet:/etc/puppet# cat /etc/init.d/puppetmaster > #! /bin/sh > ### BEGIN INIT INFO > # Provides: puppetmaster > # Required-Start: $network $named $remote_fs $syslog > # Required-Stop: $network $named $remote_fs $syslog > # Default-Start: 2 3 4 5 > # Default-Stop: 0 1 6 > # Short-Description: puppet master > # Description: The puppet master accepts connections from puppet > agents, > # compiles manifests into catalogs for them, acts as a > file > # server and report server. > ### END INIT INFO > > PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin > DAEMON=/usr/bin/puppet > DAEMON_OPTS="" > NAME=master > DESC="puppet master" > > test -x $DAEMON || exit 0 > > [ -r /etc/default/puppetmaster ] && . /etc/default/puppetmaster > > . /lib/lsb/init-functions > > if [ ! -d /var/run/puppet ]; then > mkdir -p /var/run/puppet > fi > > chown puppet:puppet /var/run/puppet > > is_true() { > if [ "x$1" = "xtrue" -o "x$1" = "xyes" -o "x$1" = "x0" ] ; then > return 0 > else > return 1 > fi > } > > start_puppet_master() { > if is_true "$START" ; then > start-stop-daemon --start --pidfile /var/run/puppet/${NAME}.pid \ > --startas $DAEMON -- $NAME $DAEMON_OPTS > else > echo "" > echo "puppetmaster not configured to start, please edit > /etc/default/puppetmaster to enable" > fi > } > > stop_puppet_master() { > start-stop-daemon --stop --quiet --oknodo --pidfile > /var/run/puppet/${NAME}.pid > } > > status_puppet_master() { > status_of_proc -p "/var/run/puppet/${NAME}.pid" "${DAEMON}" "${NAME}" > } > > > case "$1" in > start) > log_begin_msg "Starting $DESC" > start_puppet_master > log_end_msg $? > ;; > stop) > log_begin_msg "Stopping $DESC" > stop_puppet_master > log_end_msg $? > ;; > reload) > # Do nothing, as Puppetmaster rechecks its config automatically > ;; > status) > status_puppet_master > ;; > restart|force-reload) > log_begin_msg "Restarting $DESC" > stop_puppet_master > sleep 1 > start_puppet_master > log_end_msg $? > ;; > *) > echo "Usage: $0 {start|stop|status|restart|force-reload}" >&2 > exit 1 > ;; > esac > > > Still dunno what to do:/ > > any clues? > > > Thanks, > Piotr > > > The directory has all rights for puppet as the user, still could not get > anywhere with that. > >Do continue to test via "service puppetmaster start". At this point, I suspect an SELinux policy or labeling problem. You should be able to test this fairly easily by switching SELinux to permissive mode and trying again to start the master: setenforce 0 service puppetmaster start If the master then starts successfully then such an SELinux problem is confirmed. Moreover, you will probably then find an AVC message in your log, and maybe even a desktop alert, that explains the nature of the problem. In fact, you may see explanatory AVC messages in your log already. Supposing that you have an SELinux issue and you do want SELinux enforcing mandatory access controls, the long-term solution is to ensure that your SELinux policy provides for the required access and that your filesystem is labeled correctly. The best way to achieve those objectives depends on your distro and on how you installed Puppet. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Piotr Jasiulewicz
2013-Jul-17 15:17 UTC
[Puppet Users] Re: Permission problem on puppet master
Hi John there is no SELinux on this system. Issue still is an issue.. :/ Cheers, Piotr W dniu środa, 17 lipca 2013 16:13:24 UTC+1 użytkownik jcbollinger napisał:> > > > On Tuesday, July 16, 2013 11:41:12 AM UTC-5, Piotr Jasiulewicz wrote: >> >> Hi John, >> >> thanks for your answer, lunching via service was the first thing I tried >> (which also produces the same error). >> >> The linux is Ubuntu 13.X >> >> The startup: >> >> root@puppet:/etc/puppet# service puppetmaster start >> * Starting puppet master >> >> >> Could not run: Could not write >> /var/lib/puppet/ssl/private_keys/puppet.sherstondevelopments.co.uk.pem to >> privatekeydir: Permission denied - >> /var/lib/puppet/ssl/private_keys/puppet.sherstondevelopments.co.uk.pem >> >> >> The directory: >> >> root@puppet:/etc/puppet# ls -la /var/lib/puppet/ssl/private_keys/ >> total 8 >> drwxr-x--- 2 puppet root 4096 Jul 12 12:27 . >> drwxrwx--x 8 puppet puppet 4096 Jun 25 12:54 .. >> >> >> >> The script: >> >> root@puppet:/etc/puppet# cat /etc/init.d/puppetmaster >> #! /bin/sh >> ### BEGIN INIT INFO >> # Provides: puppetmaster >> # Required-Start: $network $named $remote_fs $syslog >> # Required-Stop: $network $named $remote_fs $syslog >> # Default-Start: 2 3 4 5 >> # Default-Stop: 0 1 6 >> # Short-Description: puppet master >> # Description: The puppet master accepts connections from puppet >> agents, >> # compiles manifests into catalogs for them, acts as a >> file >> # server and report server. >> ### END INIT INFO >> >> PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin >> DAEMON=/usr/bin/puppet >> DAEMON_OPTS="" >> NAME=master >> DESC="puppet master" >> >> test -x $DAEMON || exit 0 >> >> [ -r /etc/default/puppetmaster ] && . /etc/default/puppetmaster >> >> . /lib/lsb/init-functions >> >> if [ ! -d /var/run/puppet ]; then >> mkdir -p /var/run/puppet >> fi >> >> chown puppet:puppet /var/run/puppet >> >> is_true() { >> if [ "x$1" = "xtrue" -o "x$1" = "xyes" -o "x$1" = "x0" ] ; then >> return 0 >> else >> return 1 >> fi >> } >> >> start_puppet_master() { >> if is_true "$START" ; then >> start-stop-daemon --start --pidfile /var/run/puppet/${NAME}.pid \ >> --startas $DAEMON -- $NAME $DAEMON_OPTS >> else >> echo "" >> echo "puppetmaster not configured to start, please edit >> /etc/default/puppetmaster to enable" >> fi >> } >> >> stop_puppet_master() { >> start-stop-daemon --stop --quiet --oknodo --pidfile >> /var/run/puppet/${NAME}.pid >> } >> >> status_puppet_master() { >> status_of_proc -p "/var/run/puppet/${NAME}.pid" "${DAEMON}" "${NAME}" >> } >> >> >> case "$1" in >> start) >> log_begin_msg "Starting $DESC" >> start_puppet_master >> log_end_msg $? >> ;; >> stop) >> log_begin_msg "Stopping $DESC" >> stop_puppet_master >> log_end_msg $? >> ;; >> reload) >> # Do nothing, as Puppetmaster rechecks its config automatically >> ;; >> status) >> status_puppet_master >> ;; >> restart|force-reload) >> log_begin_msg "Restarting $DESC" >> stop_puppet_master >> sleep 1 >> start_puppet_master >> log_end_msg $? >> ;; >> *) >> echo "Usage: $0 {start|stop|status|restart|force-reload}" >&2 >> exit 1 >> ;; >> esac >> >> >> Still dunno what to do:/ >> >> any clues? >> >> >> Thanks, >> Piotr >> >> >> The directory has all rights for puppet as the user, still could not get >> anywhere with that. >> >> > > Do continue to test via "service puppetmaster start". > > At this point, I suspect an SELinux policy or labeling problem. You > should be able to test this fairly easily by switching SELinux to > permissive mode and trying again to start the master: > > setenforce 0 > service puppetmaster start > > If the master then starts successfully then such an SELinux problem is > confirmed. Moreover, you will probably then find an AVC message in your > log, and maybe even a desktop alert, that explains the nature of the > problem. In fact, you may see explanatory AVC messages in your log already. > > Supposing that you have an SELinux issue and you do want SELinux enforcing > mandatory access controls, the long-term solution is to ensure that your > SELinux policy provides for the required access and that your filesystem is > labeled correctly. The best way to achieve those objectives depends on > your distro and on how you installed Puppet. > > > John > > > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
On Wednesday, July 17, 2013 10:17:50 AM UTC-5, Piotr Jasiulewicz wrote:> > Hi John > > > there is no SELinux on this system. Issue still is an issue.. :/ > >> >>Count me a bit dubious of that claim. It''s quite hard to find a Linux these days that does not at least have SELinux in the kernel. But maybe you built a LFS system for yourself, or something. If Puppet is anywhere in the ballpark with respect to characterizing the problem, then then it is some kind of failure writing a new file to an existing directory to which discretionary access controls permit access. I already enumerated most of the variations on that theme that I could think of, but here''s an amended summary: - blockage by SELinux - filesystem mounted read-only - remote filesystem, with access blocked at the protocol level - (new) virtual machine, with access blocked by the virtualization layer - (new) filesystem is full If none of those seem to apply then you may be able to get a clue as to what''s happening by running the master under strace. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Piotr Jasiulewicz
2013-Jul-18 14:05 UTC
[Puppet Users] Re: Permission problem on puppet master
Hi, well resolved by changing the puppet version. There is no selinux on ubuntu by default. Thanks, Piotr W dniu czwartek, 18 lipca 2013 14:31:00 UTC+1 użytkownik jcbollinger napisał:> > > > On Wednesday, July 17, 2013 10:17:50 AM UTC-5, Piotr Jasiulewicz wrote: >> >> Hi John >> >> >> there is no SELinux on this system. Issue still is an issue.. :/ >> >>> >>> > > Count me a bit dubious of that claim. It''s quite hard to find a Linux > these days that does not at least have SELinux in the kernel. But maybe > you built a LFS system for yourself, or something. > > If Puppet is anywhere in the ballpark with respect to characterizing the > problem, then then it is some kind of failure writing a new file to an > existing directory to which discretionary access controls permit access. I > already enumerated most of the variations on that theme that I could think > of, but here''s an amended summary: > > - blockage by SELinux > - filesystem mounted read-only > - remote filesystem, with access blocked at the protocol level > - (new) virtual machine, with access blocked by the virtualization > layer > - (new) filesystem is full > > If none of those seem to apply then you may be able to get a clue as to > what''s happening by running the master under strace. > > > John > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.