Issue #21682 has been updated by eric sorenson.
I have attempted to reproduce this but been unable to. I have a virtualbox environment which brings up cenots64.x86-64 agents quickly. The CSR request/signing auto-approves and the agent runs with --test as part of the bootstrap. I agree with the diagnosis that this is because of the `pe-puppet` user being unavailable to the system at the time the test runs. Does your base image use ldap, nscd, or other directory/network services for name resolution? That pe-puppet user is created as part of the pe-puppet package %pre script section, but perhaps nscd caching or other nsswitch.conf weirdness is causing the getuid call that Charlie pasted to be falsely negative. Could you pepper your bootstrap script with `/usr/bin/id pe-puppet` calls to verify ? ---------------------------------------- Bug #21682: puppet agent --test fails when run before puppet daemon obtains signed cert from master https://projects.puppetlabs.com/issues/21682#change-95828 * Author: Raghavendra Rachamadugu * Status: Needs More Information * Priority: Urgent * Assignee: Charlie Sharpsteen * Category: * Target version: * Affected Puppet version: * Keywords: * Branch: ---------------------------------------- Repro steps (I’m trying to automate on-boarding of a new node to bring it under Puppet management) 1. Install PE agent on a new node, say node1 2. PE agent automatically checks in with master and submits a CSR 3. Sign the CSR on Puppet master for node1 (optionally set the desired state for this node) 4. Run ‘puppet agent —test’ on node1 (make sure this happens well under 2 minutes after step 3) It fails with exit code 1 with below output. <pre> [1;35merr: Could not create resources for managing Puppet's files and directories in sections [:main, :agent, :ssl]: undefined method `exists?' for nil:NilClass[0m [1;35merr: Could not create resources for managing Puppet's files and directories in sections [:main, :ssl]: undefined method `exists?' for nil:NilClass[0m [1;35merr: Could not create resources for managing Puppet's files and directories in sections [:main, :ssl]: undefined method `exists?' for nil:NilClass[0m [0;32minfo: Caching certificate for main-xyj345w6n6[0m [1;35merr: Could not request certificate: Could not write /etc/puppetlabs/puppet/ssl/certs/main-xyj345w6n6.pem to certdir: undefined method `exists?' for nil:NilClass[0m Exiting; failed to retrieve certificate and waitforcert is disabled </pre> I tested with both PE 2.8.1 and PE 3.0.0. Fails consistently. It looks like the —test starts to succeed after 2 minutes which is when agent daemon is perhaps getting signed cert from master. I’m fine if this is by design but it would help if you suggest a good way to automate the 4 steps needed to on-board a new agent. Few options I could think off are 1. Stop and start the puppet agent. This sounded flaky – stopping the agent right after PE installer returns might surprise agent with an abrupt stop leaving things in half-baked state? 2. Decrease the —waitforcert delay. Unfortunately PE installer doesn’t expose setting of this config parameter, so this can’t work? 3. Explicitly request agent daemon to immediately check with master to fetch the signed cert. Not sure if such a thing exists today. —waitforcert is documented to be applicable only when running agent in daemon mode. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
