On Wednesday, October 24, 2012 7:44:26 PM UTC-4, Nick Fagerlund wrote:
>
> HMMMMMMM, this actually sounds like you've got a slightly larger problem,
> since can't get its own node object or its plugins. Any chance we could get
> a look at your whole auth.conf?
>
> On Wednesday, October 24, 2012 3:41:32 PM UTC-7, Forrie wrote:
>>
>> No, I didn't leave *example.com* in my config - I put our own domain in
>> there... just FYI ;-)
>>
>>
auth.conf is below.
First, we have some simple classes that we use to manage files and packages
that do not need to be in a module. For example,
/etc/puppet/files/etc/ntp.conf is a file I distribute to all our internal
systems and I use this very simple recipe to manage them, which works fine
under 2.7:
[ ntp-client.pp ]
class ntp-client {
file { "/etc/ntp.conf":
owner => root,
group => root,
mode => 644,
source => "puppet:///etc/ntp.conf",
require => [ Package["ntp"] ],
notify => Service["ntpd"],
}
package { "ntp":
ensure => latest,
}
service { "ntpd":
ensure => running,
hasrestart => true,
subscribe => File["/etc/ntp.conf"],
}
} # ntp-client
>From what I read in the docs, this /should/ work. But it doesn't. I
shouldn't have to create a module path in order for this recipe to work (as
I've seen suggested, or I've misunderstood).
Here is the auth.conf file:
[ auth.conf ]
# This is an example auth.conf file, it mimics the puppetmasterd defaults
#
# The ACL are checked in order of appearance in this file.
#
# Supported syntax:
# This file supports two different syntax depending on how
# you want to express the ACL.
#
# Path syntax (the one used below):
# ---------------------------------
# path /path/to/resource
# [environment envlist]
# [method methodlist]
# [auth[enthicated] {yes|no|on|off|any}]
# allow [host|ip|*]
# deny [host|ip]
#
# The path is matched as a prefix. That is /file match at
# the same time /file_metadat and /file_content.
#
# Regex syntax:
# -------------
# This one is differenciated from the path one by a '~'
#
# path ~ regex
# [environment envlist]
# [method methodlist]
# [auth[enthicated] {yes|no|on|off|any}]
# allow [host|ip|*]
# deny [host|ip]
#
# The regex syntax is the same as ruby ones.
#
# Ex:
# path ~ .pp$
# will match every resource ending in .pp (manifests files for instance)
#
# path ~ ^/path/to/resource
# is essentially equivalent to path /path/to/resource
#
# environment:: restrict an ACL to a specific set of environments
# method:: restrict an ACL to a specific set of methods
# auth:: restrict an ACL to an authenticated or unauthenticated request
# the default when unspecified is to restrict the ACL to authenticated
requests
# (ie exactly as if auth yes was present).
#
### Authenticated ACL - those applies only when the client
### has a valid certificate and is thus authenticated
# allow nodes to retrieve their own catalog (ie their configuration)
path ~ ^/catalog/([^/]+)$
method find
allow $1
# allow all nodes to access the certificates services
path /certificate_revocation_list/ca
method find
allow *
# allow all nodes to store their reports
path /report
method save
allow *
# inconditionnally allow access to all files services
# which means in practice that fileserver.conf will
# still be used
# path /file
# allow *
# allow_ip 10.101.0.0/24
# allow_ip 10.103.0.0/24
# Note that nothing here works, regardless of the CIDR
path ~ ^/file_(metadata|content)/files/
auth yes
allow /^(.+\.)?example.com$/
allow_ip 10.0.0.0/8
### Unauthenticated ACL, for clients for which the current master doesn't
### have a valid certificate
# allow access to the master CA
path /certificate/ca
auth no
method find
allow *
path /certificate/
auth no
method find
allow *
path /certificate_request
auth no
method find, save
allow *
# this one is not stricly necessary, but it has the merit
# to show the default policy which is deny everything else
path /
# allow *
auth any
Here are some of the errors I'm seeing today. I do not have any other
modules or classes defined here, just the ntp-client.pp on the staging
system:
Oct 30 17:50:38 stage1 puppet-agent[3421]: catalog supports formats:
b64_zlib_yaml dot pson raw yaml; using pson
Oct 30 17:50:38 stage1 puppet-agent[3421]: Caching catalog for
stage1.mydomain.com
Oct 30 17:50:38 stage1 puppet-agent[3421]: Creating default schedules
Oct 30 17:50:38 stage1 puppet-agent[3421]: Loaded state in 0.00 seconds
Oct 30 17:50:38 stage1 puppet-agent[3421]: Applying configuration version
'1351630198'
Oct 30 17:50:38 stage1 puppet-agent[3421]:
(/Stage[main]/Ntp-client/Service[ntpd]/subscribe) subscribes to
File[/etc/ntp.conf]
Oct 30 17:50:38 stage1 puppet-agent[3421]:
(/Stage[main]/Ntp-client/File[/etc/ntp.conf]/require) requires Package[ntp]
Oct 30 17:50:38 stage1 puppet-agent[3421]:
(/Stage[main]/Ntp-client/File[/etc/ntp.conf]/notify) subscribes to
Service[ntpd]
Oct 30 17:50:38 stage1 puppet-agent[3421]: (/Schedule[daily]) Skipping
device resources because running on a host
Oct 30 17:50:38 stage1 puppet-agent[3421]: (/Schedule[monthly]) Skipping
device resources because running on a host
Oct 30 17:50:38 stage1 puppet-agent[3421]: (/Schedule[hourly]) Skipping
device resources because running on a host
Oct 30 17:50:38 stage1 puppet-agent[3421]: Prefetching yum resources for
package
Oct 30 17:50:38 stage1 puppet-agent[3421]: Executing '/bin/rpm --version'
Oct 30 17:50:38 stage1 puppet-agent[3421]: Executing '/bin/rpm -qa
--nosignature --nodigest --qf '%{NAME} %|EPOCH?{%{EPOCH}}:{0}| %{VERSION}
%{RELEASE} %{ARCH}
Oct 30 17:50:38 stage1 puppet-agent[3421]: ''
Oct 30 17:50:38 stage1 puppet-agent[3421]: Executing '/usr/bin/python
/usr/local/lib/ruby/gems/1.8/gems/puppet-3.0.1/lib/puppet/provider/package/yumhelper.py'
Oct 30 17:50:40 stage1 puppet-agent[3421]: file_metadata supports formats:
b64_zlib_yaml pson raw yaml; using pson
Oct 30 17:50:40 stage1 puppet-agent[3421]:
(/Stage[main]/Ntp-client/File[/etc/ntp.conf]) Could not evaluate: Error 403
on SERVER: Forbidden request: stage1.mydomain.com(127.0.0.1) access to
/file_metadata/etc/ntp.conf [find] authenticated at :100 Could not
retrieve file metadata for puppet:///etc/ntp.conf: Error 403 on SERVER:
Forbidden request: stage1.mydomain.com(127.0.0.1) access to
/file_metadata/etc/ntp.conf [find] authenticated at :100
Oct 30 17:50:40 stage1 puppet-agent[3421]: (/Schedule[never]) Skipping
device resources because running on a host
Oct 30 17:50:40 stage1 puppet-agent[3421]: (/Schedule[weekly]) Skipping
device resources because running on a host
Oct 30 17:50:40 stage1 puppet-agent[3421]:
(/Stage[main]/Ntp-client/Service[ntpd]) Dependency File[/etc/ntp.conf] has
failures: true
Oct 30 17:50:40 stage1 puppet-agent[3421]:
(/Stage[main]/Ntp-client/Service[ntpd]) Skipping because of failed
dependencies
Oct 30 17:50:40 stage1 puppet-agent[3421]: (/Schedule[puppet]) Skipping
device resources because running on a host
Oct 30 17:50:40 stage1 puppet-agent[3421]: Finishing transaction
23478903583320
Oct 30 17:50:40 stage1 puppet-agent[3421]: Storing state
Oct 30 17:50:40 stage1 puppet-agent[3421]: Stored state in 0.01 seconds
Oct 30 17:50:40 stage1 puppet-agent[3421]: Finished catalog run in 2.03
seconds
Oct 30 17:50:40 stage1 puppet-agent[3421]: Value of
'preferred_serialization_format' (pson) is invalid for report, using
default (b64_zlib_yaml)
Oct 30 17:50:40 stage1 puppet-agent[3421]: report supports formats:
b64_zlib_yaml raw yaml; using b64_zlib_yaml
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/QmYODZtLp8YJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
