Issue #22273 has been updated by Josh Partlow. Keywords changed from rhel6 packages settings mkusers ca to packages settings mkusers ca
This affects all the Redhat and Debian packages. I'm wondering if it comes down to /var/lib/puppet not having user/group controlled. The failure is from: https://github.com/puppetlabs/puppet/blob/master/lib/puppet/network/http/webrick.rb#L98 Sep 10 16:04:40 (none) puppet-master[2910]: Starting Puppet master version 3.3.0-rc3 Sep 10 16:04:40 (none) puppet-master[2910]: Could not run: Could not find CA certificate Sep 10 16:04:40 (none) puppet-master[2910]: /usr/lib/ruby/vendor_ruby/puppet/network/http/webrick.rb:98:in `setup_ssl' Sep 10 16:04:40 (none) puppet-master[2910]: /usr/lib/ruby/vendor_ruby/puppet/network/http/webrick.rb:18:in `listen' Sep 10 16:04:40 (none) puppet-master[2910]: /usr/lib/ruby/vendor_ruby/puppet/network/server.rb:27:in `start' Sep 10 16:04:40 (none) puppet-master[2910]: /usr/lib/ruby/vendor_ruby/puppet/daemon.rb:139:in `start' Sep 10 16:04:40 (none) puppet-master[2910]: /usr/lib/ruby/vendor_ruby/puppet/application/master.rb:289:in `start_webrick_master' Sep 10 16:04:40 (none) puppet-master[2910]: /usr/lib/ruby/vendor_ruby/puppet/application/master.rb:205:in `main' Sep 10 16:04:40 (none) puppet-master[2910]: /usr/lib/ruby/vendor_ruby/puppet/application/master.rb:165:in `run_command' Sep 10 16:04:40 (none) puppet-master[2910]: /usr/lib/ruby/vendor_ruby/puppet/application.rb:364:in `run' Sep 10 16:04:40 (none) puppet-master[2910]: /usr/lib/ruby/vendor_ruby/puppet/application.rb:457:in `plugin_hook' Sep 10 16:04:40 (none) puppet-master[2910]: /usr/lib/ruby/vendor_ruby/puppet/application.rb:364:in `run' Sep 10 16:04:40 (none) puppet-master[2910]: /usr/lib/ruby/vendor_ruby/puppet/util.rb:485:in `exit_on_fail' Sep 10 16:04:40 (none) puppet-master[2910]: /usr/lib/ruby/vendor_ruby/puppet/application.rb:364:in `run' Sep 10 16:04:40 (none) puppet-master[2910]: /usr/lib/ruby/vendor_ruby/puppet/util/command_line.rb:132:in `run' Sep 10 16:04:40 (none) puppet-master[2910]: /usr/lib/ruby/vendor_ruby/puppet/util/command_line.rb:86:in `execute' Sep 10 16:04:40 (none) puppet-master[2910]: /usr/bin/puppet:4 The Webrick@setup_ssl code throws the exception if it can't find the ca cert via the indirector. But the cert is still owned by puppet, even though it's group is not set properly. However /var/lib/puppet itself is no longer owned by puppet (this was on Lucid): root@oxp25qoyatg0yty:~# ls -ld /var/lib/puppet drwxr-x--- 13 104 112 4096 2013-09-10 15:44 /var/lib/puppet root@oxp25qoyatg0yty:~# ls -l /var/lib/puppet/ssl/certs total 8 -rw-r--r-- 1 puppet 112 1948 2013-09-10 14:02 ca.pem -rw-r--r-- 1 puppet 112 2082 2013-09-10 14:02 oxp25qoyatg0yty.delivery.puppetlabs.net.pem So I think the problem is that puppet can no longer read access /var/lib/puppet at all. ---------------------------------------- Bug #22273: Puppet does not manage group for all of it's configuration. https://projects.puppetlabs.com/issues/22273#change-97362 * Author: Josh Partlow * Status: Unreviewed * Priority: Normal * Assignee: * Category: settings * Target version: 3.x * Affected Puppet version: 3.2.4 * Keywords: packages settings mkusers ca * Branch: ---------------------------------------- This was identified on rhel6, with puppet installed from the rhel6 packages. I was testing acceptance/tests/config/puppet_manages_own_configuration_in_robust_manner.rb while updating the acceptance suite for the changes from pe. On rhel6, when installed from packages, the puppet user and group are created with low numbered system ids (in this case 52). If they are removed and `sudo puppet master --mkusers` is executed, a new puppet user and group are created in the 500's. But not all groups are adjusted, and the group does not accidentally match (which it might hadve had the original system and group been installed with non-system ids and been in the 500's to begin with...so this problem may not be visible if installing from source). A subsequent `sudo puppet master` fails with the following log output: Aug 22 16:03:13 localhost puppet-master[2697]: Reopening log files Aug 22 16:03:13 localhost puppet-master[2697]: Starting Puppet master version 3.2.4 Aug 22 16:03:13 localhost puppet-master[2697]: Could not run: Could not find CA certificate Steps to reproduce: [root@ykkh8vilnuwe3d2 ~]# facter | grep -E '^(os|op|pu|ru)' operatingsystem => RedHat operatingsystemmajrelease => 6 operatingsystemrelease => 6.3 osfamily => RedHat puppetversion => 3.2.4 rubysitedir => /usr/lib/ruby/site_ruby/1.8 rubyversion => 1.8.7 First capturing original user/group state: [root@ykkh8vilnuwe3d2 ~]# puppet resource user puppet user { 'puppet': ensure => 'present', comment => 'Puppet', gid => '52', home => '/var/lib/puppet', password => '!!', password_max_age => '-1', password_min_age => '-1', shell => '/sbin/nologin', uid => '52', } [root@ykkh8vilnuwe3d2 ~]# puppet resource group puppet group { 'puppet': ensure => 'present', gid => '52', } [root@ykkh8vilnuwe3d2 ~]# puppet resource group puppet > original_user_group_state [root@ykkh8vilnuwe3d2 ~]# puppet resource user puppet > original_user_group_state [root@ykkh8vilnuwe3d2 ~]# puppet resource group puppet >> original_user_group_state [root@ykkh8vilnuwe3d2 ~]# echo "Group['puppet'] -> User['puppet']" >> original_user_group_state [root@ykkh8vilnuwe3d2 ~]# cat original_user_group_state user { 'puppet': ensure => 'present', comment => 'Puppet', gid => '52', home => '/var/lib/puppet', password => '!!', password_max_age => '-1', password_min_age => '-1', shell => '/sbin/nologin', uid => '52', } group { 'puppet': ensure => 'present', gid => '52', } Group['puppet'] -> User['puppet'] Then removing the user and group: [root@ykkh8vilnuwe3d2 ~]# puppet resource user puppet 'ensure=absent' Notice: /User[puppet]/ensure: removed user { 'puppet': ensure => 'absent', } [root@ykkh8vilnuwe3d2 ~]# puppet resource group puppet 'ensure=absent' group { 'puppet': ensure => 'absent', } Add try to start up master with --mkusers: [root@ykkh8vilnuwe3d2 ~]# tail -f /var/log/messages & ... [root@ykkh8vilnuwe3d2 ~]# puppet master --mkusers Aug 22 16:40:30 localhost puppet-master[3282]: (/Group[puppet]/ensure) created Aug 22 16:40:30 localhost puppet-master[3282]: (/User[puppet]/ensure) created Aug 22 16:40:30 localhost puppet-master[3298]: Reopening log files Aug 22 16:40:30 localhost puppet-master[3298]: Starting Puppet master version 3.2.4 Aug 22 16:40:30 localhost puppet-master[3298]: Could not run: Could not find CA certificate [root@ykkh8vilnuwe3d2 ~]# ps -ef | grep ruby root 3301 3041 0 16:40 pts/1 00:00:00 grep ruby Taking a look at what has which group in /var/lib/puppet: [root@ykkh8vilnuwe3d2 ~]# puppet resource group puppet group { 'puppet': ensure => 'present', gid => '500', } [root@ykkh8vilnuwe3d2 ~]# find /var/lib/puppet/ -gid 52 /var/lib/puppet/ /var/lib/puppet/ssl/ca/signed/ykkh8vilnuwe3d2.delivery.puppetlabs.net.pem /var/lib/puppet/ssl/ca/signed/yblw2pcb1s33dpr.delivery.puppetlabs.net.pem /var/lib/puppet/ssl/certs/ca.pem /var/lib/puppet/ssl/certs/ykkh8vilnuwe3d2.delivery.puppetlabs.net.pem /var/lib/puppet/ssl/crl.pem /var/lib/puppet/ssl/private_keys/ykkh8vilnuwe3d2.delivery.puppetlabs.net.pem /var/lib/puppet/ssl/public_keys/ykkh8vilnuwe3d2.delivery.puppetlabs.net.pem /var/lib/puppet/reports/ykkh8vilnuwe3d2.delivery.puppetlabs.net /var/lib/puppet/reports/ykkh8vilnuwe3d2.delivery.puppetlabs.net/201308222252.yaml /var/lib/puppet/reports/yblw2pcb1s33dpr.delivery.puppetlabs.net /var/lib/puppet/reports/yblw2pcb1s33dpr.delivery.puppetlabs.net/201308222252.yaml [root@ykkh8vilnuwe3d2 ~]# find /var/lib/puppet/ -gid 500 /var/lib/puppet/rrd /var/lib/puppet/yaml /var/lib/puppet/ssl/ca /var/lib/puppet/ssl/ca/requests /var/lib/puppet/ssl/ca/ca_crl.pem /var/lib/puppet/ssl/ca/ca_key.pem /var/lib/puppet/ssl/ca/serial /var/lib/puppet/ssl/ca/private /var/lib/puppet/ssl/ca/private/ca.pass /var/lib/puppet/ssl/ca/signed /var/lib/puppet/ssl/ca/ca_crt.pem /var/lib/puppet/ssl/ca/ca_pub.pem /var/lib/puppet/ssl/ca/inventory.txt /var/lib/puppet/server_data /var/lib/puppet/reports /var/lib/puppet/bucket And now returning to original user and group: [root@ykkh8vilnuwe3d2 ~]# puppet apply original_user_group_state Notice: Compiled catalog for ykkh8vilnuwe3d2.delivery.puppetlabs.net in environment production in 0.23 seconds Notice: /Stage[main]//Group[puppet]/gid: gid changed '500' to '52' Notice: /Stage[main]//User[puppet]/home: home changed '/home/puppet' to '/var/lib/puppet' Notice: /Stage[main]//User[puppet]/uid: uid changed '500' to '52' Notice: /Stage[main]//User[puppet]/comment: comment changed '' to 'Puppet' Notice: /Stage[main]//User[puppet]/shell: shell changed '/bin/bash' to '/sbin/nologin' Notice: /Stage[main]//User[puppet]/password_min_age: password_min_age changed '0' to '-1' Notice: /Stage[main]//User[puppet]/password_max_age: password_max_age changed '99999' to '-1' Notice: Finished catalog run in 0.46 seconds [root@ykkh8vilnuwe3d2 ~]# puppet master Aug 22 16:44:25 localhost puppet-master[3615]: Failed to set SELinux context system_u:object_r:puppet_var_run_t:s0 on /var/run/puppet/master.pid Aug 22 16:44:25 localhost puppet-master[3622]: Reopening log files Aug 22 16:44:25 localhost puppet-master[3622]: Starting Puppet master version 3.2.4 [root@ykkh8vilnuwe3d2 ~]# ps -ef | grep ruby puppet 3622 1 0 16:44 ? 00:00:00 /usr/bin/ruby /usr/bin/puppet master root 3626 3041 0 16:44 pts/1 00:00:00 grep ruby -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
