Hi John,
thanks for your answer, lunching via service was the first thing I tried
(which also produces the same error).
The linux is Ubuntu 13.X
The startup:
root@puppet:/etc/puppet# service puppetmaster start
* Starting puppet master
Could not run: Could not write
/var/lib/puppet/ssl/private_keys/puppet.sherstondevelopments.co.uk.pem to
privatekeydir: Permission denied -
/var/lib/puppet/ssl/private_keys/puppet.sherstondevelopments.co.uk.pem
The directory:
root@puppet:/etc/puppet# ls -la /var/lib/puppet/ssl/private_keys/
total 8
drwxr-x--- 2 puppet root 4096 Jul 12 12:27 .
drwxrwx--x 8 puppet puppet 4096 Jun 25 12:54 ..
The script:
root@puppet:/etc/puppet# cat /etc/init.d/puppetmaster
#! /bin/sh
### BEGIN INIT INFO
# Provides: puppetmaster
# Required-Start: $network $named $remote_fs $syslog
# Required-Stop: $network $named $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: puppet master
# Description: The puppet master accepts connections from puppet
agents,
# compiles manifests into catalogs for them, acts as a
file
# server and report server.
### END INIT INFO
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/bin/puppet
DAEMON_OPTS=""
NAME=master
DESC="puppet master"
test -x $DAEMON || exit 0
[ -r /etc/default/puppetmaster ] && . /etc/default/puppetmaster
. /lib/lsb/init-functions
if [ ! -d /var/run/puppet ]; then
mkdir -p /var/run/puppet
fi
chown puppet:puppet /var/run/puppet
is_true() {
if [ "x$1" = "xtrue" -o "x$1" = "xyes" -o "x$1" = "x0" ] ; then
return 0
else
return 1
fi
}
start_puppet_master() {
if is_true "$START" ; then
start-stop-daemon --start --pidfile /var/run/puppet/${NAME}.pid \
--startas $DAEMON -- $NAME $DAEMON_OPTS
else
echo ""
echo "puppetmaster not configured to start, please edit
/etc/default/puppetmaster to enable"
fi
}
stop_puppet_master() {
start-stop-daemon --stop --quiet --oknodo --pidfile
/var/run/puppet/${NAME}.pid
}
status_puppet_master() {
status_of_proc -p "/var/run/puppet/${NAME}.pid" "${DAEMON}" "${NAME}"
}
case "$1" in
start)
log_begin_msg "Starting $DESC"
start_puppet_master
log_end_msg $?
;;
stop)
log_begin_msg "Stopping $DESC"
stop_puppet_master
log_end_msg $?
;;
reload)
# Do nothing, as Puppetmaster rechecks its config automatically
;;
status)
status_puppet_master
;;
restart|force-reload)
log_begin_msg "Restarting $DESC"
stop_puppet_master
sleep 1
start_puppet_master
log_end_msg $?
;;
*)
echo "Usage: $0 {start|stop|status|restart|force-reload}" >&2
exit 1
;;
esac
Still dunno what to do:/
any clues?
Thanks,
Piotr
The directory has all rights for puppet as the user, still could not get
anywhere with that.
W dniu wtorek, 16 lipca 2013 16:16:32 UTC+1 użytkownik jcbollinger napisał:
>
>
>
> On Monday, July 15, 2013 6:36:37 AM UTC-5, Piotr Jasiulewicz wrote:
>>
>> Hi,
>>
>> just bumping this, still looking and still have a problem, anyone any
>> clues?
>>
>> Thanks,
>> Piotr
>>
>> W dniu piątek, 12 lipca 2013 17:44:41 UTC+1 użytkownik Piotr Jasiulewicz
>> napisał:
>>>
>>> Hi,
>>>
>>> having some problems running puppet:
>>>
>>> root@puppet:/etc# puppet master --debug --verbose --no-daemonize
>>> debug: Failed to load library 'selinux' for feature 'selinux'
>>> debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does not
>>> exist
>>> debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl
>>> does not exist
>>> debug: Puppet::Type::User::ProviderPw: file pw does not exist
>>> debug: Puppet::Type::User::ProviderLdap: true value when expecting false
>>> debug: Failed to load library 'ldap' for feature 'ldap'
>>> debug: /File[/var/lib/puppet/reports]: Autorequiring
>>> File[/var/lib/puppet]
>>> debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring
>>> File[/var/lib/puppet/ssl/certs]
>>> debug: /File[/var/lib/puppet/ssl/private]: Autorequiring
>>> File[/var/lib/puppet/ssl]
>>> debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring
>>> File[/var/lib/puppet/ssl]
>>> debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring
>>> File[/var/lib/puppet/ssl]
>>> debug: /File[/var/run/puppet/master.pid]: Autorequiring
>>> File[/var/run/puppet]
>>> debug: /File[/etc/puppet/manifests/site.pp]: Autorequiring
>>> File[/etc/puppet/manifests]
>>> debug: /File[/etc/puppet/auth.conf]: Autorequiring File[/etc/puppet]
>>> debug: /File[/etc/puppet/fileserver.conf]: Autorequiring
>>> File[/etc/puppet]
>>> debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring
>>> File[/var/lib/puppet/ssl]
>>> debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring
>>> File[/var/lib/puppet/ssl]
>>> debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]
>>> debug: /File[/var/lib/puppet/ssl/crl.pem]: Autorequiring
>>> File[/var/lib/puppet/ssl]
>>> debug: /File[/var/lib/puppet/bucket]: Autorequiring File[/var/lib/puppet]
>>> debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet]
>>> debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet]
>>> debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet]
>>> debug: /File[/var/lib/puppet/server_data]: Autorequiring
>>> File[/var/lib/puppet]
>>> debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet]
>>> debug: /File[/etc/puppet/manifests]: Autorequiring File[/etc/puppet]
>>> debug: /File[/var/lib/puppet/yaml]: Autorequiring File[/var/lib/puppet]
>>> debug: /File[/var/lib/puppet/rrd]: Autorequiring File[/var/lib/puppet]
>>> debug: /File[/var/log/puppet/masterhttp.log]: Autorequiring
>>> File[/var/log/puppet]
>>> debug: Finishing transaction 70230043318440
>>> debug: /File[/var/lib/puppet/ssl/ca/private]: Autorequiring
>>> File[/var/lib/puppet/ssl/ca]
>>> debug: /File[/var/lib/puppet/ssl/ca/signed]: Autorequiring
>>> File[/var/lib/puppet/ssl/ca]
>>> debug: /File[/var/lib/puppet/ssl/ca/ca_pub.pem]: Autorequiring
>>> File[/var/lib/puppet/ssl/ca]
>>> debug: /File[/var/lib/puppet/ssl/ca/private/ca.pass]: Autorequiring
>>> File[/var/lib/puppet/ssl/ca/private]
>>> debug: /File[/var/lib/puppet/ssl/ca/serial]: Autorequiring
>>> File[/var/lib/puppet/ssl/ca]
>>> debug: /File[/var/lib/puppet/ssl/ca/inventory.txt]: Autorequiring
>>> File[/var/lib/puppet/ssl/ca]
>>> debug: /File[/var/lib/puppet/ssl/ca/ca_crl.pem]: Autorequiring
>>> File[/var/lib/puppet/ssl/ca]
>>> debug: /File[/var/lib/puppet/ssl/ca/requests]: Autorequiring
>>> File[/var/lib/puppet/ssl/ca]
>>> debug: /File[/var/lib/puppet/ssl/ca/ca_key.pem]: Autorequiring
>>> File[/var/lib/puppet/ssl/ca]
>>> debug: /File[/var/lib/puppet/ssl/ca/ca_crt.pem]: Autorequiring
>>> File[/var/lib/puppet/ssl/ca]
>>> debug: Finishing transaction 70230042058100
>>> debug: Using cached certificate for ca
>>> info: Creating a new SSL key for puppet.sherstondevelopments.co.uk
>>> Could not run: Could not write
>>> /var/lib/puppet/ssl/private_keys/puppet.sherstondevelopments.co.uk.pem to
>>> privatekeydir: Permission denied -
>>> /var/lib/puppet/ssl/private_keys/puppet.sherstondevelopments.co.uk.pem
>>>
>>>
>>> Any clues anyone? The permissions of the file seam to change whenever I
>>> run this:/
>>>
>>> Cheers,
>>> Piotr
>>>
>>>
>
> First off, the master does not need to run as a privileged user (e.g.
> root), as your transcript shows you doing. Since it does not need to run
> with privilege, good security practices dictate that it *not* run with
> privilege.
>
> I can imagine you saying that reducing process privileges is a move in the
> wrong direction when you are faced with a permissions problem, but in this
> case it is absolutely the right thing to do. You need to get the master
> working for the way you want it to run, so you should test that way. If
> you installed Puppet via a package (RPM, DEB, etc.) then it probably set up
> an unprivileged user account for you, likely named "puppet" or something
> similar. Does the master fail the same way if you launch it as that user?
>
> sudo -u puppet puppet master --debug --verbose --no-daemonize
>
> And also when you launch it via your distro's service management tools?
>
> service puppetmaster start
>
> (or similar).
>
> You might find that it does not. Inasmuch as puppet fails with a
> permission error when running from a privileged account, there must be more
> at play than just ordinary discretionary access controls. SELinux running
> in enforcing mode, for example, could allow the master to run correctly
> when launched by the service manager, but cause permission denials such as
> you observed when the master is launched directly from a root shell.
>
> Alternatively, if the target file is on a file system mounted read-only,
> then even root will be unable to modify its contents. Or if the target
> file is on a network file system such as NFS, then the local root user may
> actually have less permission for its contents than some or all ordinary
> users.
>
> I hope that gives you a nudge in the right direction. If it is needed, we
> may be able to render further assistance once you have narrowed down the
> cause of the permission denial.
>
>
> John
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.
