I got a little closer to the answer on this.
The error seems to be SELinux related. If I disable SELinux on the puppet
master, the error goes away on the client.
I found this in my audit log on the puppet server:
type=AVC msg=audit(1434769414.956:562): avc: denied { open } for
pid=3558 comm="ruby"
path="/etc/puppet/environments/production/modules/bacula/files/monitor1/monitor1.jokefire.com.crt"
dev="vda1" ino=1842005 scontext=system_u:system_r:passenger_t:s0
tcontext=system_u:object_r:nfs_t:s0 tclass=file
I ran audit2allow and found this:
grep puppet /var/log/audit/audit.log | audit2allow
#============= passenger_t ==============
allow passenger_t nfs_t:file open;
But how do I turn this into an selinux command that allows this to work?
thanks!
Tim
On Wed, Jun 17, 2015 at 8:50 AM, Tim Dunphy <bluethu...@gmail.com> wrote:
> mydomain.com <-> jokefire.com
>> Is this copy-n-paste or does the filename and the source name not match?
>
>
> Yah, this was a mistake on my part in trying to obscure the domain name.
> LOL
>
> Sorry about that. But in fact mydomain.com == jokefire.com
>
> Here's the actual definition:
>
> file { "/etc/pki/tls/private/${::hostname}.jokefire.com.key":
> notify => Service["bacula-fd"],
> owner => "bacula",
> group => "bacula",
> mode => 0400,
> require => Package["bacula-client","bacula-common"],
> source =>
> "puppet:///modules/bacula/${::hostname}/${::hostname}.jokefire.com.key",
>
> }
>
> file { "/etc/pki/tls/certs/${::hostname}.jokefire.com.crt":
> notify => Service["bacula-fd"],
> owner => "bacula",
> group => "bacula",
> mode => 0400,
> require => Package["bacula-client","bacula-common"],
> source =>
> "puppet:///modules/bacula/${::hostname}/${::hostname}.jokefire.com.crt",
>
> }
>
>
> And the files and directories with ownership/permissions shown:
>
> [root@puppet:/etc/puppet] #ls -lh
> environments/production/modules/bacula/files/{logs,monitor1}
> environments/production/modules/bacula/files/logs:
> total 8.0K
> -rw-r--r--. 1 puppet puppet 1.9K Apr 23 22:14 logs.jokefire.com.crt
> -rw-r--r--. 1 puppet puppet 3.2K Apr 23 22:14 logs.jokefire.com.key
>
> environments/production/modules/bacula/files/monitor1:
> total 8.0K
> -rw-r--r--. 1 puppet puppet 2.0K Jun 16 21:53 monitor1.jokefire.com.crt
> -rw-r--r--. 1 puppet puppet 3.2K Jun 16 21:53 monitor1.jokefire.com.key
>
> [root@puppet:/etc/puppet] #ls -ld
> environments/production/modules/bacula/files/{logs,monitor1}
> drwxr-xr-x. 2 puppet puppet 62 Jun 16 22:13
> environments/production/modules/bacula/files/logs
> drwxr-xr-x. 2 puppet puppet 70 Jun 16 22:14
> environments/production/modules/bacula/files/monitor1
>
> And this is the error I'm getting on the monitor1 host:
>
> Error:
> /Stage[main]/Bacula::Config/File[/etc/pki/tls/certs/monitor1.jokefire.com.crt]:
> Could not evaluate: Could not retrieve information from environment
> production source(s)
> puppet:///modules/bacula/monitor1/monitor1.jokefire.com.crt
> Error:
> /Stage[main]/Bacula::Config/File[/etc/pki/tls/private/monitor1.jokefire.com.key]:
> Could not evaluate: Could not retrieve information from environment
> production source(s)
> puppet:///modules/bacula/monitor1/monitor1.jokefire.com.key
>
> But, paradoxically, the logs host (which is also shown above) works fine.
> Same formula in the config manifest, different directories but same
> permissions on the source files, yet only one fails! This just isn't making
> any sense to me.
>
> Puppet should be able to select the correct directory name to pull from
> for the monitor1 host based on the $hostname fact just as it does for the
> logs host.
>
> Any thoughts?
>
> Thanks,
> Tim
>
>
>
> On Wed, Jun 17, 2015 at 3:18 AM, Martin Alfke <tux...@gmail.com> wrote:
>
>> Hi Tim,
>>
>> the agent wants to fetch the file
>> > puppet:///modules/bacula/monitor1/monitor1.mydomain.com.crt
>>
>> But on the Master you are shooing us a file with the name:
>> > environments/production/modules/bacula/files/monitor1:
>> > total 8.0K
>> > -rw-r--r--. 1 puppet puppet 2.0K Jun 16 21:53 monitor1.jokefire.com.crt
>> > -rw-r--r--. 1 puppet puppet 3.2K Jun 16 21:53 monitor1.jokefire.com.key
>>
>> mydomain.com <-> jokefire.com
>>
>> Is this copy-n-paste or does the filename and the source name not match?
>>
>> Best,
>> Martin
>>
>>
>> On 17 Jun 2015, at 04:20, Tim Dunphy <bluethu...@gmail.com> wrote:
>>
>> > Hi all,
>> >
>> > I've setup a puppet module to install and keep the bacula backup
>> system running on a number of systems.
>> >
>> >
>> > Part of the formula I've come up with is to transfer an SSL cert/key
>> pair to each host that uses the module. So that bacula can work over TLS.
>> >
>> > I have this defined in my bacula config manifest:
>> >
>> > file { "/etc/pki/tls/private/${::hostname}.mydomain.com.key":
>> > notify => Service["bacula-fd"],
>> > owner => "bacula",
>> > group => "bacula",
>> > mode => 0400,
>> > require => Package["bacula-client","bacula-common"],
>> > source =>
>> "puppet:///modules/bacula/${::hostname}/${::hostname}.mydomain.com.key",
>> >
>> > }
>> >
>> > file { "/etc/pki/tls/certs/${::hostname}.mydomain.com.crt":
>> > notify => Service["bacula-fd"],
>> > owner => "bacula",
>> > group => "bacula",
>> > mode => 0400,
>> > require => Package["bacula-client","bacula-common"],
>> > source =>
>> "puppet:///modules/bacula/${::hostname}/${::hostname}.mydomain.com.crt",
>> >
>> > }
>> >
>> >
>> >
>> > This has been working perfectly fine for a while now. But only on SOME
>> hosts that were recently added I'm getting permission denied errors on the
>> keypairs that I'm trying to send over.
>> >
>> >
>> > Error:
>> /Stage[main]/Bacula::Config/File[/etc/pki/tls/certs/monitor1.mydomain.com.crt]:
>> Could not evaluate: Could not retrieve information from environment
>> production source(s)
>> puppet:///modules/bacula/monitor1/monitor1.mydomain.com.crt
>> > Error:
>> /Stage[main]/Bacula::Config/File[/etc/pki/tls/private/monitor1.mydomain.com.key]:
>> Could not evaluate: Could not retrieve information from environment
>> production source(s)
>> puppet:///modules/bacula/monitor1/monitor1.mydomain.com.key
>> >
>> > And this is the weird part! All of the directories that I'm
>> transferring keys and certs from have identical ownership and permissions
>> for both the working and the non working hosts!
>> >
>> > This is a directory listing of certs and keys that does NOT work:
>> >
>> > environments/production/modules/bacula/files/monitor1:
>> > total 8.0K
>> > -rw-r--r--. 1 puppet puppet 2.0K Jun 16 21:53 monitor1.jokefire.com.crt
>> > -rw-r--r--. 1 puppet puppet 3.2K Jun 16 21:53 monitor1.jokefire.com.key
>> >
>> >
>> > And this is a listing from a directory containing certs and keys that
>> DOES work:
>> >
>> > environments/production/modules/bacula/files/logs:
>> > total 8.0K
>> > -rw-r--r--. 1 puppet puppet 1.9K Apr 23 22:14 logs.jokefire.com.crt
>> > -rw-r--r--. 1 puppet puppet 3.2K Apr 23 22:14 logs.jokefire.com.key
>> >
>> > And these are permissions on the directories themselves:
>> >
>> > drwxr-xr-x. 2 puppet puppet 62 Jun 16 22:13
>> environments/production/modules/bacula/files/logs
>> > drwxr-xr-x. 2 puppet puppet 70 Jun 16 22:14
>> environments/production/modules/bacula/files/monitor1
>> >
>> > Trouble is I can tell no difference between the working and non working
>> directories.
>> >
>> > If I run puppet with the bacula module on the monitor1 host, I get the
>> error. If I run puppet with the bacula module on the logs host, everything
>> works fine!
>> >
>> > I'm just wondering what I may be missing that could get rid of that
>> error!
>> >
>> > Thanks,
>> > Tim
>> > --
>> > GPG me!!
>> >
>> > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>> >
>> >
>> > --
>> > You received this message because you are subscribed to the Google
>> Groups "Puppet Users" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> an email to puppet-users+unsubscr...@googlegroups.com.
>> > To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/CAOZy0ekwcGN%2B609_K0pS6-zm%2B5tEpCpqkx_LHHmrhCk0cb-MsQ%40mail.gmail.com
>> .
>> > For more options, visit https://groups.google.com/d/optout.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to puppet-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/487BF260-444D-4985-A118-FA20095A8CB2%40gmail.com
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>
>
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAOZy0e%3DR-VqLSx9T%2BG39-t2OLfXeKc_sKjvG%2BSmrwMqD%2BEMWAg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
