On Monday, July 15, 2013 6:36:37 AM UTC-5, Piotr Jasiulewicz wrote: > > Hi, > > just bumping this, still looking and still have a problem, anyone any > clues? > > Thanks, > Piotr > > W dniu piątek, 12 lipca 2013 17:44:41 UTC+1 użytkownik Piotr Jasiulewicz > napisał: >> >> Hi, >> >> having some problems running puppet: >> >> root@puppet:/etc# puppet master --debug --verbose --no-daemonize >> debug: Failed to load library 'selinux' for feature 'selinux' >> debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does not >> exist >> debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl >> does not exist >> debug: Puppet::Type::User::ProviderPw: file pw does not exist >> debug: Puppet::Type::User::ProviderLdap: true value when expecting false >> debug: Failed to load library 'ldap' for feature 'ldap' >> debug: /File[/var/lib/puppet/reports]: Autorequiring File[/var/lib/puppet] >> debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring >> File[/var/lib/puppet/ssl/certs] >> debug: /File[/var/lib/puppet/ssl/private]: Autorequiring >> File[/var/lib/puppet/ssl] >> debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring >> File[/var/lib/puppet/ssl] >> debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring >> File[/var/lib/puppet/ssl] >> debug: /File[/var/run/puppet/master.pid]: Autorequiring >> File[/var/run/puppet] >> debug: /File[/etc/puppet/manifests/site.pp]: Autorequiring >> File[/etc/puppet/manifests] >> debug: /File[/etc/puppet/auth.conf]: Autorequiring File[/etc/puppet] >> debug: /File[/etc/puppet/fileserver.conf]: Autorequiring File[/etc/puppet] >> debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring >> File[/var/lib/puppet/ssl] >> debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring >> File[/var/lib/puppet/ssl] >> debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet] >> debug: /File[/var/lib/puppet/ssl/crl.pem]: Autorequiring >> File[/var/lib/puppet/ssl] >> debug: /File[/var/lib/puppet/bucket]: Autorequiring File[/var/lib/puppet] >> debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet] >> debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet] >> debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet] >> debug: /File[/var/lib/puppet/server_data]: Autorequiring >> File[/var/lib/puppet] >> debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet] >> debug: /File[/etc/puppet/manifests]: Autorequiring File[/etc/puppet] >> debug: /File[/var/lib/puppet/yaml]: Autorequiring File[/var/lib/puppet] >> debug: /File[/var/lib/puppet/rrd]: Autorequiring File[/var/lib/puppet] >> debug: /File[/var/log/puppet/masterhttp.log]: Autorequiring >> File[/var/log/puppet] >> debug: Finishing transaction 70230043318440 >> debug: /File[/var/lib/puppet/ssl/ca/private]: Autorequiring >> File[/var/lib/puppet/ssl/ca] >> debug: /File[/var/lib/puppet/ssl/ca/signed]: Autorequiring >> File[/var/lib/puppet/ssl/ca] >> debug: /File[/var/lib/puppet/ssl/ca/ca_pub.pem]: Autorequiring >> File[/var/lib/puppet/ssl/ca] >> debug: /File[/var/lib/puppet/ssl/ca/private/ca.pass]: Autorequiring >> File[/var/lib/puppet/ssl/ca/private] >> debug: /File[/var/lib/puppet/ssl/ca/serial]: Autorequiring >> File[/var/lib/puppet/ssl/ca] >> debug: /File[/var/lib/puppet/ssl/ca/inventory.txt]: Autorequiring >> File[/var/lib/puppet/ssl/ca] >> debug: /File[/var/lib/puppet/ssl/ca/ca_crl.pem]: Autorequiring >> File[/var/lib/puppet/ssl/ca] >> debug: /File[/var/lib/puppet/ssl/ca/requests]: Autorequiring >> File[/var/lib/puppet/ssl/ca] >> debug: /File[/var/lib/puppet/ssl/ca/ca_key.pem]: Autorequiring >> File[/var/lib/puppet/ssl/ca] >> debug: /File[/var/lib/puppet/ssl/ca/ca_crt.pem]: Autorequiring >> File[/var/lib/puppet/ssl/ca] >> debug: Finishing transaction 70230042058100 >> debug: Using cached certificate for ca >> info: Creating a new SSL key for puppet.sherstondevelopments.co.uk >> Could not run: Could not write >> /var/lib/puppet/ssl/private_keys/puppet.sherstondevelopments.co.uk.pem to >> privatekeydir: Permission denied - >> /var/lib/puppet/ssl/private_keys/puppet.sherstondevelopments.co.uk.pem >> >> >> Any clues anyone? The permissions of the file seam to change whenever I >> run this:/ >> >> Cheers, >> Piotr >> >>
First off, the master does not need to run as a privileged user (e.g. root), as your transcript shows you doing. Since it does not need to run with privilege, good security practices dictate that it *not* run with privilege. I can imagine you saying that reducing process privileges is a move in the wrong direction when you are faced with a permissions problem, but in this case it is absolutely the right thing to do. You need to get the master working for the way you want it to run, so you should test that way. If you installed Puppet via a package (RPM, DEB, etc.) then it probably set up an unprivileged user account for you, likely named "puppet" or something similar. Does the master fail the same way if you launch it as that user? sudo -u puppet puppet master --debug --verbose --no-daemonize And also when you launch it via your distro's service management tools? service puppetmaster start (or similar). You might find that it does not. Inasmuch as puppet fails with a permission error when running from a privileged account, there must be more at play than just ordinary discretionary access controls. SELinux running in enforcing mode, for example, could allow the master to run correctly when launched by the service manager, but cause permission denials such as you observed when the master is launched directly from a root shell. Alternatively, if the target file is on a file system mounted read-only, then even root will be unable to modify its contents. Or if the target file is on a network file system such as NFS, then the local root user may actually have less permission for its contents than some or all ordinary users. I hope that gives you a nudge in the right direction. If it is needed, we may be able to render further assistance once you have narrowed down the cause of the permission denial. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
