Has anyone else come up with a solution for this? We just booted a new puppet master for the first time in a few weeks and it came up with Passenger 5 (we were on 4.0.69) -- and failed. For the time being we've patched our code to use an updated repo location with Passenger 4.x, but we'd like to be able to use 5. We are seeing the exact same behavior. Puppet 3.7.4 (installed via debian packages), Ubuntu 12.04.
On Friday, March 13, 2015 at 5:14:32 PM UTC-7, Johnson Earls wrote: > > Operating System: Oracle Linux 6.5 > Puppet version: Open Source Puppet 3.7.4 (installed via gems) > Ruby version: 2.1.0 (locally built package) > Apache version: 2.2.15 > Passenger version: 5.0.4 > > I apologise in advance if this post sounds confused and wanders all over; > it mirrors its author in that respect. > > I'm just getting started with puppet. I've got a small 5-node playground > set up to play with. I set it up using the "Installing Puppet: From Gems" > instructions (since I wanted to use a newer version of ruby than the 1.8.7 > that Oracle Linux comes with), and I thought everything was going great, > getting it running under apache/passenger and everything. Then I realized > I'd forgotten to install the auth.conf file the last time I rebuilt the > puppet directories. As soon as I installed that file and restarted httpd, > my agents stopped being able to talk to the server, getting an Error 403 > Forbidden for every access. > > The errors, listed here, indicate that the server is recognizing that the > client is authenticated, so apparently it's just not recognizing the URLs > being accessed: > > Warning: Error 403 on SERVER: Forbidden request: > rac03n01-dc2.dc2.responsys.com(...) access to /node/ > rac03n01-dc2.dc2.responsys.com [find] authenticated at :123 > Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional > resources using 'eval_generate': Error 403 on SERVER: Forbidden request: > rac03n01-dc2.dc2.responsys.com(...) access to /file_metadata/pluginfacts > [search] authenticated at :123 > Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not > retrieve file metadata for puppet://puppet/pluginfacts: Error 403 on > SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to > /file_metadata/pluginfacts [find] authenticated at :123 > Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) > access to /file_metadata/pluginfacts [find] authenticated at :123 > Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources > using 'eval_generate': Error 403 on SERVER: Forbidden request: > rac03n01-dc2.dc2.responsys.com(...) access to /file_metadata/plugins > [search] authenticated at :123 > Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve > file metadata for puppet://puppet/plugins: Error 403 on SERVER: Forbidden > request: rac03n01-dc2.dc2.responsys.com(...) access to > /file_metadata/plugins [find] authenticated at :123 > Error 403 on SERVER: Forbidden request: rac03n01-dc2.dc2.responsys.com(...) > access to /file_metadata/plugins [find] authenticated at :123 > Error: Could not retrieve catalog from remote server: Error 403 on SERVER: > Forbidden request: rac03n01-dc2.dc2.responsys.com(...) access to /catalog/ > rac03n01-dc2.dc2.responsys.com [find] authenticated at :123 > Error: Could not send report: Error 403 on SERVER: Forbidden request: > rac03n01-dc2.dc2.responsys.com(...) access to /report/ > rac03n01-dc2.dc2.responsys.com [save] authenticated at :123 > > > I noticed that the URLs listed (/node/..., /catalog/..., /report/..., and > /file_metadata/...) are not listed in the auth.conf at all, but are being > "inserted" by the puppet master: > > Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '~ > ^/catalog/([^/]+)$' (auth true) ACL > Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '~ > ^/node/([^/]+)$' (auth true) ACL > Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '/file' (auth > ) ACL > Mar 13 16:43:06 ... puppet-master[13013]: Inserting default > '/certificate_revocation_list/ca' (auth true) ACL > Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '~ > ^/report/([^/]+)$' (auth true) ACL > Mar 13 16:43:06 ... puppet-master[13013]: Inserting default > '/certificate/ca' (auth any) ACL > Mar 13 16:43:06 ... puppet-master[13013]: Inserting default > '/certificate/' (auth any) ACL > Mar 13 16:43:06 ... puppet-master[13013]: Inserting default > '/certificate_request' (auth any) ACL > Mar 13 16:43:06 ... puppet-master[13013]: Inserting default '/status' > (auth true) ACL > Mar 13 16:43:06 ... puppet-master[13013]: Inserting default > '/v2.0/environments' (auth true) ACL > > However,apparently, the default deny-all ACL at the end of auth.conf (at > line 123 as shown in the errors above) is preventing those default ACLs > from taking effect. > > Once I commented out the default deny-all ACL at the end of auth.conf, my > access started working again. > > Am I reading the logs and auth.conf file correctly in my conclusion that > the default deny-all ACL is preventing the puppet-inserted ACLs from taking > effect, or am I misconfigured somewhere else? > > > Thanks in advance, > - Johnson Earls > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/0cfe5029-b554-456e-bdef-f2d775f5748b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
