I got a little closer to the answer on this.
The error seems to be SELinux related. If I disable SELinux on the puppet
master, the error goes away on the client.
I found this in my audit log on the puppet server:
type=AVC msg=audit(1434769414.956:562): avc: denied { open } for
pid=3558 comm="ruby"
path="/etc/puppet/environments/production/modules/bacula/files/monitor1/monitor1.jokefire.com.crt"
dev="vda1" ino=1842005 scontext=system_u:system_r:passenger_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=file
I ran audit2allow and found this:
grep puppet /var/log/audit/audit.log | audit2allow
#============= passenger_t ==============
allow passenger_t nfs_t:file open;
But how do I turn this into an selinux command that allows this to work?
thanks!
Tim
On Wed, Jun 17, 2015 at 8:50 AM, Tim Dunphy <[email protected]> wrote:
> mydomain.com <-> jokefire.com
>> Is this copy-n-paste or does the filename and the source name not match?
>
>
> Yah, this was a mistake on my part in trying to obscure the domain name.
> LOL
>
> Sorry about that. But in fact mydomain.com == jokefire.com
>
> Here's the actual definition:
>
> file { "/etc/pki/tls/private/${::hostname}.jokefire.com.key":
> notify => Service["bacula-fd"],
> owner => "bacula",
> group => "bacula",
> mode => 0400,
> require => Package["bacula-client","bacula-common"],
> source =>
> "puppet:///modules/bacula/${::hostname}/${::hostname}.jokefire.com.key",
>
> }
>
> file { "/etc/pki/tls/certs/${::hostname}.jokefire.com.crt":
> notify => Service["bacula-fd"],
> owner => "bacula",
> group => "bacula",
> mode => 0400,
> require => Package["bacula-client","bacula-common"],
> source =>
> "puppet:///modules/bacula/${::hostname}/${::hostname}.jokefire.com.crt",
>
> }
>
>
> And the files and directories with ownership/permissions shown:
>
> [root@puppet:/etc/puppet] #ls -lh
> environments/production/modules/bacula/files/{logs,monitor1}
> environments/production/modules/bacula/files/logs:
> total 8.0K
> -rw-r--r--. 1 puppet puppet 1.9K Apr 23 22:14 logs.jokefire.com.crt
> -rw-r--r--. 1 puppet puppet 3.2K Apr 23 22:14 logs.jokefire.com.key
>
> environments/production/modules/bacula/files/monitor1:
> total 8.0K
> -rw-r--r--. 1 puppet puppet 2.0K Jun 16 21:53 monitor1.jokefire.com.crt
> -rw-r--r--. 1 puppet puppet 3.2K Jun 16 21:53 monitor1.jokefire.com.key
>
> [root@puppet:/etc/puppet] #ls -ld
> environments/production/modules/bacula/files/{logs,monitor1}
> drwxr-xr-x. 2 puppet puppet 62 Jun 16 22:13
> environments/production/modules/bacula/files/logs
> drwxr-xr-x. 2 puppet puppet 70 Jun 16 22:14
> environments/production/modules/bacula/files/monitor1
>
> And this is the error I'm getting on the monitor1 host:
>
> Error:
> /Stage[main]/Bacula::Config/File[/etc/pki/tls/certs/monitor1.jokefire.com.crt]:
> Could not evaluate: Could not retrieve information from environment
> production source(s)
> puppet:///modules/bacula/monitor1/monitor1.jokefire.com.crt
> Error:
> /Stage[main]/Bacula::Config/File[/etc/pki/tls/private/monitor1.jokefire.com.key]:
> Could not evaluate: Could not retrieve information from environment
> production source(s)
> puppet:///modules/bacula/monitor1/monitor1.jokefire.com.key
>
> But, paradoxically, the logs host (which is also shown above) works fine.
> Same formula in the config manifest, different directories but same
> permissions on the source files, yet only one fails! This just isn't making
> any sense to me.
>
> Puppet should be able to select the correct directory name to pull from
> for the monitor1 host based on the $hostname fact just as it does for the
> logs host.
>
> Any thoughts?
>
> Thanks,
> Tim
>
>
>
> On Wed, Jun 17, 2015 at 3:18 AM, Martin Alfke <[email protected]> wrote:
>
>> Hi Tim,
>>
>> the agent wants to fetch the file
>> > puppet:///modules/bacula/monitor1/monitor1.mydomain.com.crt
>>
>> But on the Master you are shooing us a file with the name:
>> > environments/production/modules/bacula/files/monitor1:
>> > total 8.0K
>> > -rw-r--r--. 1 puppet puppet 2.0K Jun 16 21:53 monitor1.jokefire.com.crt
>> > -rw-r--r--. 1 puppet puppet 3.2K Jun 16 21:53 monitor1.jokefire.com.key
>>
>> mydomain.com <-> jokefire.com
>>
>> Is this copy-n-paste or does the filename and the source name not match?
>>
>> Best,
>> Martin
>>
>>
>> On 17 Jun 2015, at 04:20, Tim Dunphy <[email protected]> wrote:
>>
>> > Hi all,
>> >
>> > I've setup a puppet module to install and keep the bacula backup
>> system running on a number of systems.
>> >
>> >
>> > Part of the formula I've come up with is to transfer an SSL cert/key
>> pair to each host that uses the module. So that bacula can work over TLS.
>> >
>> > I have this defined in my bacula config manifest:
>> >
>> > file { "/etc/pki/tls/private/${::hostname}.mydomain.com.key":
>> > notify => Service["bacula-fd"],
>> > owner => "bacula",
>> > group => "bacula",
>> > mode => 0400,
>> > require => Package["bacula-client","bacula-common"],
>> > source =>
>> "puppet:///modules/bacula/${::hostname}/${::hostname}.mydomain.com.key",
>> >
>> > }
>> >
>> > file { "/etc/pki/tls/certs/${::hostname}.mydomain.com.crt":
>> > notify => Service["bacula-fd"],
>> > owner => "bacula",
>> > group => "bacula",
>> > mode => 0400,
>> > require => Package["bacula-client","bacula-common"],
>> > source =>
>> "puppet:///modules/bacula/${::hostname}/${::hostname}.mydomain.com.crt",
>> >
>> > }
>> >
>> >
>> >
>> > This has been working perfectly fine for a while now. But only on SOME
>> hosts that were recently added I'm getting permission denied errors on the
>> keypairs that I'm trying to send over.
>> >
>> >
>> > Error:
>> /Stage[main]/Bacula::Config/File[/etc/pki/tls/certs/monitor1.mydomain.com.crt]:
>> Could not evaluate: Could not retrieve information from environment
>> production source(s)
>> puppet:///modules/bacula/monitor1/monitor1.mydomain.com.crt
>> > Error:
>> /Stage[main]/Bacula::Config/File[/etc/pki/tls/private/monitor1.mydomain.com.key]:
>> Could not evaluate: Could not retrieve information from environment
>> production source(s)
>> puppet:///modules/bacula/monitor1/monitor1.mydomain.com.key
>> >
>> > And this is the weird part! All of the directories that I'm
>> transferring keys and certs from have identical ownership and permissions
>> for both the working and the non working hosts!
>> >
>> > This is a directory listing of certs and keys that does NOT work:
>> >
>> > environments/production/modules/bacula/files/monitor1:
>> > total 8.0K
>> > -rw-r--r--. 1 puppet puppet 2.0K Jun 16 21:53 monitor1.jokefire.com.crt
>> > -rw-r--r--. 1 puppet puppet 3.2K Jun 16 21:53 monitor1.jokefire.com.key
>> >
>> >
>> > And this is a listing from a directory containing certs and keys that
>> DOES work:
>> >
>> > environments/production/modules/bacula/files/logs:
>> > total 8.0K
>> > -rw-r--r--. 1 puppet puppet 1.9K Apr 23 22:14 logs.jokefire.com.crt
>> > -rw-r--r--. 1 puppet puppet 3.2K Apr 23 22:14 logs.jokefire.com.key
>> >
>> > And these are permissions on the directories themselves:
>> >
>> > drwxr-xr-x. 2 puppet puppet 62 Jun 16 22:13
>> environments/production/modules/bacula/files/logs
>> > drwxr-xr-x. 2 puppet puppet 70 Jun 16 22:14
>> environments/production/modules/bacula/files/monitor1
>> >
>> > Trouble is I can tell no difference between the working and non working
>> directories.
>> >
>> > If I run puppet with the bacula module on the monitor1 host, I get the
>> error. If I run puppet with the bacula module on the logs host, everything
>> works fine!
>> >
>> > I'm just wondering what I may be missing that could get rid of that
>> error!
>> >
>> > Thanks,
>> > Tim
>> > --
>> > GPG me!!
>> >
>> > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>> >
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> Groups "Puppet Users" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> an email to [email protected].
>> > To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/CAOZy0ekwcGN%2B609_K0pS6-zm%2B5tEpCpqkx_LHHmrhCk0cb-MsQ%40mail.gmail.com
>> .
>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/487BF260-444D-4985-A118-FA20095A8CB2%40gmail.com
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>
>
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAOZy0e%3DR-VqLSx9T%2BG39-t2OLfXeKc_sKjvG%2BSmrwMqD%2BEMWAg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
