Hi!
just a thought, I don't have any place to test it and it's been a while
since I had to deal with SELinux...but check SELinux booleans you might
find something there that is not allowing puppet agent to use mount.
IIRC you could list all of them with "semanage boolean -l".
sjr
On Wednesday, April 10, 2013 1:07:04 AM UTC+2, Stack Kororā wrote:
>
>
>
> On Tuesday, April 9, 2013 9:56:11 AM UTC-5, Jonathan Stanton wrote:
>>
>> [snip]
>
> If those are enabled, you may find that things you can do as a root user
>> don't work when run from cron or from a daemon process.
>>
>> If this is RHEL/Centos then try putting SElinux in permissive mode (as
>> root user run 'setenforce Permissive' ) and see if you have the same
>> problem. If so then that identifies the issue and you can either generate a
>> custom selinux policy for puppet, run in permissive, or change the way the
>> mount happens. What to do depends on your organization security policy.
>>
>
> Thanks Jonathan!
> That was exactly the problem. SELinux runs on these systems and I was so
> focused on the puppet part that I missed the SELinux part. Doh!
>
>
>> [snip]
>
> This should already be happening. Only the 'puppet master' runs as a
>> regular 'puppet' user, the agent normally runs as root.
>>
>
> Thanks for letting me know. I thought both ran as puppet before now.
>
>
>
> I put SELinux into permissive mode and let the puppet agent do its thing
> successfully! Hooray!! But I really need SELinux...Any suggestions on
> getting this to work through SELinux* ?
>
> * I completely understand that this is not a Puppet problem anymore so a
> response of 'Go harass the SELinux list' won't hurt my feelings any. But it
> is worth it to ask as I am sure there are others who deal with Puppet and
> SELinux.
> :-)
>
> Since SELinux is in permissive mode, I piped the relevant information from
> audit.log into audit2allow.
>
> $ tail -50 /var/log/audit/audit.log | grep -i panfs | audit2allow -m panfs
> module panfs 1.0;
>
> require {
> type node_t;
> type sysctl_vm_t;
> type mount_t;
> class capability net_raw;
> class dir search;
> class file read;
> class rawip_socket { ioctl shutdown bind create getattr node_bind
> };
> }
>
> #============= mount_t ==============
> allow mount_t node_t:rawip_socket node_bind;
> allow mount_t self:capability net_raw;
> allow mount_t self:rawip_socket { bind create ioctl shutdown getattr };
> allow mount_t sysctl_vm_t:dir search;
> allow mount_t sysctl_vm_t:file read;
>
> Since that looked good, I updated the module in SELinux
> $ tail -50 /var/log/audit/audit.log | grep -i panfs | audit2allow -M panfs
> $ semodule -i panfs
> $semodule -l | grep panfs
> panfs 1.0
>
> Then I turned SELinux back on with setenforce and reset puppet with
> `service puppet restart`. I didn't get any SELinux audit messages, but it
> still doesn't mount. It looks like (to me anyway) that the mounting process
> is still trying to get to resources that it can't access because they are
> being blocked by SELinux. However, I was really hoping that it would put
> something in to the audit.log file, but nothing changed. Any ideas as to
> why it didn't work?
>
> Apr 9 16:22:00 test puppet-agent[32086]:
> (/Stage[main]/Cisaudit::Homefilesystem/Mount[/home]/ensure) ensure changed
> 'unmounted' to 'mounted'
> Apr 9 16:22:01 test puppet-agent[32086]:
> (/Stage[main]/Cisaudit::Homefilesystem/Mount[/home]) Could not evaluate:
> Execution of '/bin/mount -o defaults,nodev /home' returned 1: mount.panfs
> warning: couldn't ping address 192.168.1.20:3095 using 192.168.1.11:1,
> 0x239d (pan_sock: protected socket, permission denied)
> Apr 9 16:22:01 test puppet-agent[32086]:
> (/Stage[main]/Cisaudit::Homefilesystem/Mount[/home]) mount.panfs warning:
> This mount still may succeed, but one or more local interfaces (listed
> below) failed communicate with the Panasas realm during mount. This
> suggests that a route cannot be established between these local
> interface(s) and the system. A client sends a list of IP addresses on
> which the Panasas storage system may establish a connection. If any one of
> these addresses should be excluded from the mount time check, use the
> 'callback-network-disallow' or 'callback-address-disallow' mount options.
> See 'man 8 mount.panfs' for more details on PanFS mount options.
> Excluding the interface from the check at mount time will avoid long
> running mount commands.
> Apr 9 16:22:01 test puppet-agent[32086]:
> (/Stage[main]/Cisaudit::Homefilesystem/Mount[/home]) mount.panfs: failed
> local addresses: 192.168.1.11:1
> Apr 9 16:22:01 test puppet-agent[32086]:
> (/Stage[main]/Cisaudit::Homefilesystem/Mount[/home]) mount.panfs:
> successful local addresses:
> Apr 9 16:22:01 test puppet-agent[32086]:
> (/Stage[main]/Cisaudit::Homefilesystem/Mount[/home]) mount.panfs error:
> couldn't ping realm servers for mount
> Apr 9 16:22:01 test puppet-agent[32086]:
> (/Stage[main]/Cisaudit::Homefilesystem/Mount[/home]) mount.panfs error:
> cannot process mount options in postinit step 0x7 (Invalid argument)
>
> Thanks again! I appreciate the help!
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
