On Thursday, April 21, 2016 at 9:03:29 AM UTC-4, jcbollinger wrote:
>
>
>
> On Wednesday, April 20, 2016 at 8:13:52 AM UTC-5, Ugo Bellavance wrote:
>>
>>
>>
>> On Wednesday, April 20, 2016 at 9:03:35 AM UTC-4, jcbollinger wrote:
>>>
>>>
>>>
>>> On Tuesday, April 19, 2016 at 12:36:47 PM UTC-5, Ugo Bellavance wrote:
>>>
>>> This:
>>>
>>>
>>>> When debugging on the master:
>>>>
>>>> # puppet master --debug --compile agent1.example.com | grep hiera |
>>>> grep -v Cannot | grep -v Looking
>>>> [...]
>>>> Debug: hiera(): Hiera YAML backend starting
>>>> Debug: hiera(): Found classes in host/agent1.example.com
>>>> [...]
>>>>
>>>
>>>
>>> Shows that your Hiera config and data are fine.
>>>
>>> You haven't presented any logs of the actual puppetmaster service
>>> failure, and these might be more illuminating, but at this point I'm
>>> inclined to guess that your problem is one of two things:
>>>
>>> 1. perhaps the master is running with a stale Hiera config, and
>>> needs to be restarted to see the up-to-date one, or
>>> 2. access controls on one or more of the Hiera data files prevent
>>> the puppetmaster process from reading them.
>>>
>>> I'd rate the latter as somewhat more likely.
>>>
>>
>> Here are the logs on the puppet master (please note that I don't use the
>> fileserver anymore and as you can see, I restarted the master just before
>> testing):
>>
>> Apr 20 09:08:51 master puppet-master[26083]: Starting Puppet master
>> version 3.6.2
>> Apr 20 09:09:27 master puppet-master[26083]: Removing mount "files":
>> /var/lib/puppet/files does not exist or is not a directory
>> Apr 20 09:09:27 master puppet-master[26083]: Error parsing fileserver
>> configuration: wrong number of arguments (3 for 0..1); using old
>> configuration
>> Apr 20 09:09:31 master puppet-master[26083]: The use of 'import' is
>> deprecated at /etc/puppet/manifests/site.pp:4. See
>> http://links.puppetlabs.com/puppet-import-deprecation
>> Apr 20 09:09:31 master puppet-master[26083]: (at grammar.ra:610:in
>> `block in _reduce_190')
>> Apr 20 09:09:32 master puppet-master[26083]: Could not find data item
>> classes in any Hiera data file and no default supplied at
>> /etc/puppet/manifests/site.pp:12 on node
>> agent1.atqlan.agri-tracabilite.qc.ca
>> Apr 20 09:09:32 master puppet-master[26083]: Could not find data item
>> classes in any Hiera data file and no default supplied at
>> /etc/puppet/manifests/site.pp:12 on node agent1.
>> atqlan.agri-tracabilite.qc.ca
>> Apr 20 09:09:32 master puppet-master[26083]: Could not find data item
>> classes in any Hiera data file and no default supplied at
>> /etc/puppet/manifests/site.pp:12 on node agent1.
>> atqlan.agri-tracabilite.qc.ca
>>
>>
>
>
> Well, that at least does demonstrate that the problem is not a stale Hiera
> config. The verbosity and logging level are apparently set low enough that
> the HIera lookup details are not reported. Did you check the access
> controls on the data files and the directories in the path to them? Can a
> process running with the same uid / gid as the master does access and read
> the data files?
>
It looks like you found it John! Thanks a lot.
In fact, the files were in /var/lib/hiera/ (the default for my puppet
binary), but SELinux contexts were not appropriate on the folder and its
files. I could have fixed them manually, but instead I moved them to
/etc/puppet/hiera and ran restorecon -Rv on the folder to make sure SELinux
contexts were adjusted correctly. Running restorecon on /var/lib/hiera/
doesn't change anything.
I'm kind of mad at me for not seeing this log entry:
type=AVC msg=audit(1461246504.666:74599): avc: denied { getattr } for
pid=4901 comm="puppet" path="/var/lib/hiera/common.yaml" dev="dm-4"
ino=25715620 scontext=system_u:system_r:puppetmaster_t:s0
tcontext=unconfined_u:object_r:var_
lib_t:s0 tclass=file
This a test server and on setroubleshoot was not configure like on my
production server. I'll go configure it now and continue my puppet work.
Thanks!
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/3a93801d-e263-4bab-b57b-3b8f5c633fb6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
