Issue #21682 has been updated by Raghavendra Rachamadugu.
BTW can you also confirm which directories you think puppet agent --test is trying to write and (presumably) failing due to insufficient privileges. I can try to write to same directory before puppet agent to see if that succeeds - that way we can pursue or eliminate this theory... ---------------------------------------- Bug #21682: puppet agent --test fails when run before puppet daemon obtains signed cert from master https://projects.puppetlabs.com/issues/21682#change-94489 * Author: Raghavendra Rachamadugu * Status: Needs More Information * Priority: High * Assignee: Raghavendra Rachamadugu * Category: * Target version: * Affected Puppet version: * Keywords: * Branch: ---------------------------------------- Repro steps (I'm trying to automate on-boarding of a new node to bring it under Puppet management) 1. Install PE agent on a new node, say node1 2. PE agent automatically checks in with master and submits a CSR 3. Sign the CSR on Puppet master for node1 (optionally set the desired state for this node) 4. Run 'puppet agent --test' on node1 (make sure this happens well under 2 minutes after step 3) It fails with exit code 1 with below output. <pre> [1;35merr: Could not create resources for managing Puppet's files and directories in sections [:main, :agent, :ssl]: undefined method `exists?' for nil:NilClass[0m [1;35merr: Could not create resources for managing Puppet's files and directories in sections [:main, :ssl]: undefined method `exists?' for nil:NilClass[0m [1;35merr: Could not create resources for managing Puppet's files and directories in sections [:main, :ssl]: undefined method `exists?' for nil:NilClass[0m [0;32minfo: Caching certificate for main-xyj345w6n6[0m [1;35merr: Could not request certificate: Could not write /etc/puppetlabs/puppet/ssl/certs/main-xyj345w6n6.pem to certdir: undefined method `exists?' for nil:NilClass[0m Exiting; failed to retrieve certificate and waitforcert is disabled </pre> I tested with both PE 2.8.1 and PE 3.0.0. Fails consistently. It looks like the --test starts to succeed after 2 minutes which is when agent daemon is perhaps getting signed cert from master. I'm fine if this is by design but it would help if you suggest a good way to automate the 4 steps needed to on-board a new agent. Few options I could think off are 1. Stop and start the puppet agent. This sounded flaky - stopping the agent right after PE installer returns might surprise agent with an abrupt stop leaving things in half-baked state? 2. Decrease the --waitforcert delay. Unfortunately PE installer doesn't expose setting of this config parameter, so this can't work? 3. Explicitly request agent daemon to immediately check with master to fetch the signed cert. Not sure if such a thing exists today. --waitforcert is documented to be applicable only when running agent in daemon mode. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
