Hello,
On Apr 9, 2013, at 12:02 AM, Stack Kororā wrote:
> Greetings!
>
> I am having a problem with puppet mounting a device and am hoping someone
> can help. Here is the short version, if you have questions or need more
> detail, please feel free to ask.
>
> I have a Panasas storage device on my network on which my home directory
> resides. The Panasas device mounts the filesystem via a kernel module
> (which they call DirectFlow). Thus, when I run as root ` mount /home` a
> kernel module is loaded and then the filesystem is loaded. I have certain
> restrictions in place on my servers which I have to keep in line (Puppet is
> AMAZING for this!) and the mounting of /home is one of those restrictions.
>
> I have in my puppet manifest this:
> mount { "/home" :
> ensure => mounted,
> atboot => true,
> device => "panfs://192.168.1.20/home",
> fstype => "panfs",
> options => "defaults,nodev",
> remounts => true,
> pass => 2,
> dump => 1,
> }
>
> If I run, as root, `puppet agent --test` then the /home filesystem is
> mounted and everything is wonderful. However, if I let the puppet agent
> daemon try to mount /home I get errors in the log files without the mount
> ever happening.
>
The puppet agent that runs on your server is normally running as root (it has
to be to have privileges to make all of the change it can do). However a number
of Linux operating systems have further security protection beyond just root
which can restrict what daemons can do but does not restrict what a 'human'
logged in as root may be able to do. For example all of the Redhat Enterprise
Linux (and Fedora) use Selinux which will normally limit what even root
executing dameon processes can do in order to protect the system from attacks.
Other OS's like OpenBSD/FreeBSD or Linux distributions have similar
capabilities that go by different names.
If those are enabled, you may find that things you can do as a root user don't
work when run from cron or from a daemon process.
If this is RHEL/Centos then try putting SElinux in permissive mode (as root
user run 'setenforce Permissive' ) and see if you have the same problem. If so
then that identifies the issue and you can either generate a custom selinux
policy for puppet, run in permissive, or change the way the mount happens. What
to do depends on your organization security policy.
Since it works when you run puppet agent --test the manifest itself is probably
fine and the puppet mount code is able to load your module ok.
> Apr 2 13:01:08 testnode puppet-agent[29955]:
> (/Stage[main]/mount::Homefilesystem/Mount[/home]/ensure) ensure changed
> 'unmounted' to 'mounted'
> Apr 2 13:01:08 testnode puppet-agent[29955]:
> (/Stage[main]/mount::Homefilesystem/Mount[/home]) Could not evaluate:
> Execution of '/bin/mount -o defaults,nodev /home' returned 1: mount.panfs
> error: cannot init pan_sock_ping 0x239d (pan_sock: protected socket,
> permission denied)
>
> Neither Panasas representatives I talked to seemed to have any idea what
> Puppet was before I spoke to them. My coworkers, the Panasas reps, and I
> brainstormed a few ideas but only three seemed to "work":
> * Have the puppet daemon run as root instead of the puppet user (which is
> an obvious issue)
This should already be happening. Only the 'puppet master' runs as a regular
'puppet' user, the agent normally runs as root.
> * Use auto-mount (which "works" but is causing some oddities in a few of my
> jobs which I am fairly sure is due to the latency of the mount)
> * Have Puppet call a script with the setuid bit configured which can mount
> /home (which doesn't 100% address my needs of puppet being able to remount
> if one of those parameters is wrong/missing/changed/whatever without that
> script getting complicated).
I would not recommend this. It is fragile and as you say loses much of the
benefit of puppet.
>
> Before I commit towards one option, I thought I would ask the other Puppet
> masters out there for ideas. Given the popularity of Puppet in datacenters
> as well as the popularity of SAN devices in datacenters I figure someone
> out there has probably solved this problem. I am hoping that their solution
> is better then the ones we have come up with. :-D
>
> Can anyone help me out with this?
>
> Thank you in advance!!
>
> Stack
>
Hope this helps.
Jonathan
-------------------------------------------------------------------------------
Jonathan Stanton jonat...@spreadconcepts.com
Spread Group Messaging www.spread.org
Spread Concepts LLC www.spreadconcepts.com
-------------------------------------------------------------------------------
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To post to this group, send email to puppet-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/puppet-users?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
