Trying out puppet-acl module on Windows Server 2016, Preview5. I'm getting the weirdest error on the second puppet run. If i remove the trnsactionstore.yaml file, and re-run the puppet agent, the behavior is repeatable. Im running puppet4 with latest agent version.
This is my codeblock
acl { "c:/temp":
permissions => [
{ identity => 'Administrator', rights => ['full'] },
{ identity => 'Users', rights => ['read','execute'] }
],
}
This is the output from the puppet-run.
PS C:\ProgramData\PuppetLabs\puppet\cache\state> puppet agent -t
Info: Using configured environment 'local'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for opslowebf02n02.local
Error: Transaction store file C:/ProgramData/PuppetLabs/puppet/cache/state/transactionstore.yaml is corrupt (wrong number of arguments (0 for 1..2)); replacing
Error: Transaction state file C:/ProgramData/PuppetLabs/puppet/cache/state/transactionstore.yaml is valid YAML but not returning a hash. Check the file for corruption, or remove it before continuing.
Info: Applying configuration version '1471436916'
Notice: /Stage[main]/platform_base_system::Role::Windows/Exec[check-powershell-exection-policy]/returns: executed successfully
Notice: /Stage[main]/configs_iis::Profile::Default/Exec[check-iis-global-anonymous-authentication]/returns: executed successfully
Notice: Applied catalog in 7.42 seconds
In the transactionstore.yaml file, this is the error section:
Acl[c:/temp]:
parameters:
permissions:
system_value:
- !ruby/hash:Puppet::Type::Acl::Ace {}
- !ruby/hash:Puppet::Type::Acl::Ace {}
inherit_parent_permissions:
system_value: :true
This has been resolved by dowwngrading the puppet agent to 4.5.3.
Behavior of the 4.6.0 version must have changed.
With 4.5.3 i still see the error in the logfile, but the puppetrun does not fail
I'll try to talk to the people at puppet about this.
Acl[c:/temp]:
parameters:
permissions:
system_value:
- !ruby/hash:Puppet::Type::Acl::Ace {}
- !ruby/hash:Puppet::Type::Acl::Ace {}
inherit_parent_permissions:
system_value: :true
This is being tracked as https://tickets.puppetlabs.com/browse/PUP-6629. It's almost coincidental that you created https://tickets.puppetlabs.com/browse/PUP-6630 right afterwards.
Related
I am not new to puppet, but I am new to using it on Windows. Trying to configure chocolatey using the puppetlabs/chocolatey module. Initial puppet run without the module worked just fine. Then I added include chocolatey to the manifest, and it downloaded and installed chocolatey. So far, so good. However, then I went to add a custom source like so:
chocolateysource { 'mysource':
ensure => present,
location => 'https://my.chocolatey.source',
priority => 10,
}
Now I get the following message when running puppet agent -t:
PS C:\Windows\system32> puppet agent -t
Error: Could not autoload puppet/provider/package/chocolatey: C:/ProgramData/PuppetLabs/puppet/cache/lib/puppet/provider/package/chocolatey.rb:280: syntax error, unexpected '.'
pin_output&.split("\n")&.each { |pin| pin...
^
C:/ProgramData/PuppetLabs/puppet/cache/lib/puppet/provider/package/chocolatey.rb:280: syntax error, unexpected '.'
... pin_output&.split("\n")&.each { |pin| pins << pin.spli...
... ^
Error: Facter: error while resolving custom facts in C:/ProgramData\PuppetLabs\puppet\cache\lib\facter\package_provider.rb: Could not autoload puppet/provider/package/chocolatey: C:/ProgramData/PuppetLabs/puppet/cache/lib/puppet/provider/package/chocolatey.rb:280: syntax error, unexpected '.'
pin_output&.split("\n")&.each { |pin| pin...
^
C:/ProgramData/PuppetLabs/puppet/cache/lib/puppet/provider/package/chocolatey.rb:280: syntax error, unexpected '.'
... pin_output&.split("\n")&.each { |pin| pins << pin.spli...
... ^
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Redefining package in Puppet::Type
Error: Could not autoload puppet/type/chocolateysource: C:/ProgramData/PuppetLabs/puppet/cache/lib/puppet/type/chocolateysource.rb:221: syntax error, unexpected '.'
parameter(:password)&.sensitive = true
^
Error: Could not retrieve catalog from remote server: Could not intern from text/pson: Could not autoload puppet/type/chocolateysource: C:/ProgramData/PuppetLabs/puppet/cache/lib/puppet/type/chocolateysource.rb:221: syntax error, unexpected '.'
parameter(:password)&.sensitive = true
^
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
As a non-Windows user, I feel like I'm missing something to make this work, but I'm not sure what it is. I have verified that .Net framework is installed, but not sure what else to check here. Thanks in advance for any help.
Turns out the version was the issue. I had mistakenly installed puppet 4 agent, while the server is puppet 7.
I am testing this out and getting an error on the Puppet agent node
[root#pagent1 ~]# puppet agent -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, Could not find class ::nginx for pagent1.testcentos7.com (file: /etc/puppetlabs/code/environments/production/manifests/site.pp, line: 3, column: 3) on node pagent1.testcentos7.com
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Content of these classes from the Puppet server:
[root#pmaster ~]# cat /etc/puppetlabs/code/environments/production/manifests/site.pp
node pagent1.testcentos7.com {
class { 'nginx': }
}
[root#pmaster ~]# cat /etc/puppetlabs/code/environments/production/modules/nginx/manifests/manifests/init.pp
class nginx {
contain nginx::install
}
[root#pmaster ~]# cat /etc/puppetlabs/code/environments/production/modules/nginx/manifests/install.pp
class nginx::install {
package { 'install_nginx':
name => 'nginx',
ensure => 'present',
}
}
Syntax check shows this error:
[root#pmaster ~]# puppet parser validate /etc/puppetlabs/code/environments/production/modules/nginx/manifests/manifests/init.pp
Error: Could not parse for environment production: Unacceptable location. The name 'nginx' is unacceptable in file '/etc/puppetlabs/code/environments/production/modules/nginx/manifests/manifests/init.pp' (file: /etc/puppetlabs/code/environments/production/modules/nginx/manifests/manifests/init.pp, line: 7, column: 1)
NOTE: Created module 'nginx' and its classes using Puppet Development Kit(PDK).
Is that a bug or something or I made a mistake with the class name?.
Related thread I found is https://groups.google.com/forum/embed/#!topic/puppet-users/nxbwCvWrgMI but would like to have someone simplify this for me
Solved this by moving 'init.pp' to the path /etc/puppetlabs/code/environments/production/modules/nginx/manifests where install class file 'install.pp' exists.
For more clarity, I put both the files 'init.pp' and 'install.pp' in the same location directory /etc/puppetlabs/code/environments/production/modules/nginx/manifests to solve this.
I am trying to install jdk rpm via Puppet. I have tried lot of manifests but none of them working.
At this moment, I have manifest like this
class java {
#file {' Java 8 rpm file':
#source => 'puppet:///modules/java/jdk-8u161-linux-x64.rpm',
#}
package { 'jdk-8u161-linux-x64.rpm':
ensure => 'present',
provider => 'rpm',
source => '/etc/puppetlabs/code/environments/production/modules/java/jdk-8u161-linux-x64.rpm',
}
}
And I am getting below error
[root#sahasraarchi ~]# puppet agent -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for sahasraarchi.devmac.com
Info: Applying configuration version '1517758835'
Error: Execution of '/usr/bin/rpm -i /etc/puppetlabs/code/environments/production/modules/java/jdk-8u161-linux-x64.rpm' returned 1: error: open of /etc/puppetlabs/code/environments/production/modules/java/jdk-8u161-linux-x64.rpm failed: No such file or directory
Error: /Stage[main]/Java/Package[jdk-8u161-linux-x64.rpm]/ensure: change from absent to present failed: Execution of '/usr/bin/rpm -i /etc/puppetlabs/code/environments/production/modules/java/jdk-8u161-linux-x64.rpm' returned 1: error: open of /etc/puppetlabs/code/environments/production/modules/java/jdk-8u161-linux-x64.rpm failed: No such file or directory
Notice: Applied catalog in 2.01 seconds
[root#sahasraarchi ~]#
Seems I have missed basic point here. Source at package attribute is always referring the address on Puppet-agent. i.e to where file copying to remote machine before its getting installed.
class java {
file {' /tmp/jdk-8u161-linux-x64.rpm':
source => 'puppet:///modules/java/jdk-8u161-linux-x64.rpm',
}
package { 'jdk-8u161-linux-x64.rpm':
ensure => 'present',
provider => 'rpm',
source => '/tmp/jdk-8u161-linux-x64.rpm',
require => File["/tmp/jdk-8u161-linux-x64.rpm"],
}
}
Will install the rpm at Puppet-agent.
On agent node:
root#agent2-VirtualBox:/var/lib/puppet# puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not find default node or by name with 'agent2-virtualbox.servicemesh.com, agent2-virtualbox.servicemesh, agent2-virtualbox, agent2-VirtualBox.servicemesh.com, agent2-VirtualBox.servicemesh, agent2-VirtualBox' on node agent2-virtualbox.servicemesh.com
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
root#agent2-VirtualBox:/var/lib/puppet#
On the puppet master side:
root#puppetmaster:~# puppet cert sign --all
Error: No waiting certificate requests to sign
root#puppetmaster:~#
How to resolve this?
You need to check you site.pp and make sure you either have a default node definition defined or a node definition for the FQDN of your agent.
https://docs.puppet.com/puppet/latest/reference/lang_node_definitions.html
for example:
node 'agent2-virtualbox.servicemesh.com' {
import ntp
}
I'm running puppet 2.7.26 because that's what the redhat package provides.
I'm trying to serve files that are NOT stored within any puppet modules. The files are maintained in another location on the puppet server, and that is where I need to serve them from.
I have this in my /etc/puppet/fileserver.conf
[files]
path /var/www/cobbler/pub
allow *
And then I have a class file like this:
class etchostfile
(
$hostfile /* declare that this class has one parameter */
)
{
File
{
owner => 'root',
group => 'root',
mode => '0644',
}
file { $hostfile :
ensure => file,
source => "puppet:///files/hosts-${hostfile}.txt",
path => '/root/hosts',
}
}
But when my node calls
class { 'etchostfile' :
hostfile => foo,
}
I get this error
err: /Stage[main]/Etchostfile/File[foo]: Could not evaluate: Error 400
on SERVER: Not authorized to call find on
/file_metadata/files/hosts-foo.txt with {:links=>"manage"} Could not
retrieve file metadata for puppet:///files/hosts-foo.txt: Error 400 on
SERVER: Not authorized to call find on
/file_metadata/files/hosts-foo.txt with {:links=>"manage"} at
/etc/puppet/modules/etchostfile/manifests/init.pp:27
This post
https://viewsby.wordpress.com/2013/04/05/puppet-error-400-on-server-not-authorized-to-call-find/
indicates that this is all I need to do. But I must be missing something.
UPDATE
When I run the master in debug mode, I get no error.
The master responds thusly:
info: access[^/catalog/([^/]+)$]: allowing 'method' find
info: access[^/catalog/([^/]+)$]: allowing $1 access
info: access[^/node/([^/]+)$]: allowing 'method' find
info: access[^/node/([^/]+)$]: allowing $1 access
info: access[/certificate_revocation_list/ca]: allowing 'method' find
info: access[/certificate_revocation_list/ca]: allowing * access
info: access[^/report/([^/]+)$]: allowing 'method' save
info: access[^/report/([^/]+)$]: allowing $1 access
info: access[/file]: allowing * access
info: access[/certificate/ca]: adding authentication any
info: access[/certificate/ca]: allowing 'method' find
info: access[/certificate/ca]: allowing * access
info: access[/certificate/]: adding authentication any
info: access[/certificate/]: allowing 'method' find
info: access[/certificate/]: allowing * access
info: access[/certificate_request]: adding authentication any
info: access[/certificate_request]: allowing 'method' find
info: access[/certificate_request]: allowing 'method' save
info: access[/certificate_request]: allowing * access
info: access[/]: adding authentication any
info: Inserting default '/status' (auth true) ACL because none were found in '/etc/puppet/auth.conf'
info: Expiring the node cache of agent.redacted.com
info: Not using expired node for agent.redacted.com from cache; expired at Thu Aug 13 14:18:48 +0000 2015
info: Caching node for agent.redacted.com
debug: importing '/etc/puppet/modules/etchostfile/manifests/init.pp' in environment production
debug: Automatically imported etchostfile from etchostfile into production
debug: File[foo]: Adding default for selrange
debug: File[foo]: Adding default for group
debug: File[foo]: Adding default for seluser
debug: File[foo]: Adding default for selrole
debug: File[foo]: Adding default for owner
debug: File[foo]: Adding default for mode
debug: File[foo]: Adding default for seltype
notice: Compiled catalog for agent.redacted.com in environment production in 0.11 seconds
info: mount[files]: allowing * access
debug: Received report to process from agent.redacted.com
debug: Processing report from agent.redacted.com with processor Puppet::Reports::Store
and the agent responds thusly:
info: Caching catalog for agent.redacted.com
info: Applying configuration version '1439475588'
notice: /Stage[main]/Etchostfile/File[foo]/ensure: defined content as '{md5}75125a96a68a0ff0d42f91f10dca8336'
notice: Finished catalog run in 0.42 seconds
and the file is properly installed/updated.
So it works when the master is in debug mode, but it errors when the master is in standard (?) mode. I can go back and forth, in and out of debug mode at will, and it works every time in debug mode, and it fails every time in standard mode.
UPDATE 2
Running puppetmasterd from the command line, and everything works.
Running service puppetmaster start or /etc/init.d/puppetmaster start from the command line, and it fails. So at least I'm getting closer.
/etc/sysconfig/puppetmaster is entirely commented out. So as of now, I do not see any difference between just starting puppetmasterd and using the service script.
UPDATE 3
I think it's an SELinux problem.
With SELinux "enforcing" on the master, service puppetmaster restart, and I get the error.
I change SELinux to "Permissive" on the master, and I still get the error.
But now that SELinux is set to Permissive, if I service puppetmaster restart, my files get served properly.
But now that it's working, I set SELinux to Enforcing, and I get a different error:
err: /Stage[main]/Etchostfile/File[foo]: Could not evaluate: Could not
retrieve information from environment production source(s)
puppet:///files/hosts-foo.txt at
/etc/puppet/modules/etchostfile/manifests/init.pp:27
Then I do a service puppetmaster restart and I'm back to the original error.
So the situation changes depending on
how I started the service (puppetmasterd or service)
what SELinux was set to when I started the service
what SELinux is set to when the agent runs.
The closer I get, the more confused I get.
UPDATE 4
I think I found it. Once I started looking at SELinux, I found the policy changes I needed to make (allowing ruby/puppet to access cobbler files) and now it appears to be working...
This turned out to be an SELinux problem. I eventually found this error message
SELinux is preventing /usr/bin/ruby from read access
on the file /var/www/cobbler/pub/hosts-foo.txt .
which led me to the audit2allow rules I needed to apply to allow puppet to access my cobbler files.
I was getting this error with puppet server on ubuntu 20.
Error: /Stage[main]/Dvod_tocr/File[/install/wine-data.tar.gz]: Could not evaluate: Could not retrieve file metadata for puppet:///extra_files/wine-data.tar.gz: Error 500 on SERVER: Server Error: Not authorized to call find on /file_metadata/extra_files/wine-data.tar.gz with {:rest=>"extra_files/wine-data.tar.gz", :links=>"manage", :checksum_type=>"sha256", :source_permissions=>"ignore"}
My fileserver.conf file was in the wrong location. The correct location for this puppet version and on ubuntu 20 is /etc/puppetlabs/puppet/fileserver.conf