[Puppet Users] Error 400 on SERVER: Permission denied.
Note - a puppet newbie here - any help is much appreciated :-) We are getting a "Failed to generate additional resources using 'eval_generate': Error 400 on SERVER: Permission denied" whenever a file being accessed/referenced via the file resource (directive) "recurse = remote" function is not world readable on the puppet master. It does not appear to be a file owner/group thing - it appears that all files within the source tree actually require file level accessibility to be world readable (004 mask) on the master so to deploy the file within a recursive block to a node without the above error. This is on PE 3.7.2 CentOS 6.8. Is this a bug? Is this a configuration setting? The thing is that this is a blocker for us - we would like to deploy a directory tree but the world permissions cannot have read access on the node once deployed. huh? Thanks in advance! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/aab09cff-2d12-4094-99af-50e2558d6c72%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] Error 400 on SERVER: Permission denied - /var/lib/puppet/yaml/facts/server.example.com.yaml
And an error that arose in the past hour which I just figured out
needed this access:
allow httpd_t puppet_var_lib_t:file append;
G'night,
Dave
--
David Chin, Ph.D.
chi...@wfu.edu High Performance Computing Systems Analyst
Office: +1.336.758.2964 Wake Forest University
Mobile: +1.336.608.0793 Winston-Salem, NC
Email-to-txt: 3366080...@mms.att.net Google Talk: chi...@wfu.edu
Web: http://www.wfu.edu/~chindw
https://plus.google.com/108169173177119739731/about
On Fri, Jan 13, 2012 at 01:30, David Chin wrote:
> Some details on how I fixed it. There were also lots of mod_passenger
> SELinux issues that were fixed, too. I didn't pick out the specific
> subset of issues that only fixed Puppet.
>
> Credit due to: http://skippy.net/puppet-subversion-selinux
>
> # setsebool -P allow_ypbind 1
> # ausearch -m avc | audit2allow -r > puppet_passenger.te
> # mkdir -p /usr/share/selinux/packages/puppet_passenger
> # mv puppet_passenger.te /usr/share/selinux/packages/puppet_passenger
> # cd /usr/share/selinux/packages/puppet_passenger
> # checkmodule -M -m -o puppet_passenger.mod puppet_passenger.te
> checkmodule: loading policy configuration from puppet_passenger.te
> checkmodule: policy configuration loaded
> checkmodule: writing binary representation (version 10) to
> puppet_passenger.mod
> # semodule_package -o puppet_passenger.pp -m puppet_passenger.mod
> # semodule -i puppet_passenger.pp
>
> The specific issues that arose from httpd_t's need for access to
> puppet stuff were:
>
> allow httpd_t puppet_var_lib_t:dir { write read create add_name };
> allow httpd_t puppet_var_lib_t:file { relabelfrom relabelto create write };
>
> Hope that helps,
> Dave
> --
> David Chin, Ph.D.
> chi...@wfu.edu High Performance Computing Systems Analyst
> Office: +1.336.758.2964 Wake Forest University
> Mobile: +1.336.608.0793 Winston-Salem, NC
> Email-to-txt: 3366080...@mms.att.net Google Talk: chi...@wfu.edu
> Web: http://www.wfu.edu/~chindw
> https://plus.google.com/108169173177119739731/about
>
>
>
> On Mon, Jan 9, 2012 at 11:31, David Chin wrote:
>> Turns out to be SELinux: httpd_t needs file write to puppet_var_lib_t.
>>
>> Cheers,
>> Dave
>> --
>> David Chin, Ph.D.
>> chi...@wfu.edu High Performance Computing Systems Analyst
>> Office: +1.336.758.2964 Wake Forest University
>> Mobile: +1.336.608.0793 Winston-Salem, NC
>> Email-to-txt: 3366080...@mms.att.net Google Talk: chi...@wfu.edu
>> Web: http://www.wfu.edu/~chindw
>> https://plus.google.com/108169173177119739731/about
>>
>>
>>
>> On Fri, Jan 6, 2012 at 17:04, David Chin wrote:
>>> Hello,
>>>
>>> I'm new to puppet, and am working through the Pro Puppet book
>>> (Turnbull & McCune). After a bit of struggling, I managed to get
>>> puppet + passenger + apache mostly working: a simple connect to the
>>> server on https port 8140 gives "The environment must be purely
>>> alphanumeric, not ''"
>>>
>>> Here is what I have running:
>>> - RedHat Enterprise Linux 6
>>> - httpd 2.2.15-15.el6
>>> - puppet 2.7.9-1.el6
>>> - puppet-server 2.7.9-1.el6
>>> - mod_passenger 3.0.11-1.el6
>>> - rubygem-rack 1.1.0-2.el6
>>> - facter 1.6.4-1.el6
>>>
>>> I'm sanitizing data here by using "puppet.example.com" as the server
>>> name.
>>>
>>> My /etc/puppet/puppet.conf has:
>>> [main]
>>> server = puppet.example.com
>>>
>>> On the puppet server, I am trying to test by doing: puppet agent --
>>> verbose --debug --test
>>>
>>> I get the error message:
>>>
>>> err: Could not retrieve catalog from remote server: Error 400 on
>>> SERVER: Permission denied - /var/lib/puppet/yaml/facts/
>>> puppet.example.com.yaml
>>> warning: Not using cache on failed catalog
>>> err: Could not retrieve catalog; skipping run
>>>
>>> Permissions on /var/lib/puppet/yaml/facts:
>>>
>>> drwxr-x---. puppet puppet
>>> unconfined_u:object_r:puppet_var_lib_t:s0 /var/lib/puppet/yaml/facts/
>>>
>>> I manually created the .yaml file by doing: facter -y > ${factsdir}/$
>>> (facter fqdn).yaml
>>>
>>> Thanks in advance for any pointers.
>>>
>>> Cheers,
>>> -- David Chin
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Error 400 on SERVER: Permission denied - /var/lib/puppet/yaml/facts/server.example.com.yaml
Some details on how I fixed it. There were also lots of mod_passenger
SELinux issues that were fixed, too. I didn't pick out the specific
subset of issues that only fixed Puppet.
Credit due to: http://skippy.net/puppet-subversion-selinux
# setsebool -P allow_ypbind 1
# ausearch -m avc | audit2allow -r > puppet_passenger.te
# mkdir -p /usr/share/selinux/packages/puppet_passenger
# mv puppet_passenger.te /usr/share/selinux/packages/puppet_passenger
# cd /usr/share/selinux/packages/puppet_passenger
# checkmodule -M -m -o puppet_passenger.mod puppet_passenger.te
checkmodule: loading policy configuration from puppet_passenger.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 10) to
puppet_passenger.mod
# semodule_package -o puppet_passenger.pp -m puppet_passenger.mod
# semodule -i puppet_passenger.pp
The specific issues that arose from httpd_t's need for access to
puppet stuff were:
allow httpd_t puppet_var_lib_t:dir { write read create add_name };
allow httpd_t puppet_var_lib_t:file { relabelfrom relabelto create write };
Hope that helps,
Dave
--
David Chin, Ph.D.
chi...@wfu.edu High Performance Computing Systems Analyst
Office: +1.336.758.2964 Wake Forest University
Mobile: +1.336.608.0793 Winston-Salem, NC
Email-to-txt: 3366080...@mms.att.net Google Talk: chi...@wfu.edu
Web: http://www.wfu.edu/~chindw
https://plus.google.com/108169173177119739731/about
On Mon, Jan 9, 2012 at 11:31, David Chin wrote:
> Turns out to be SELinux: httpd_t needs file write to puppet_var_lib_t.
>
> Cheers,
> Dave
> --
> David Chin, Ph.D.
> chi...@wfu.edu High Performance Computing Systems Analyst
> Office: +1.336.758.2964 Wake Forest University
> Mobile: +1.336.608.0793 Winston-Salem, NC
> Email-to-txt: 3366080...@mms.att.net Google Talk: chi...@wfu.edu
> Web: http://www.wfu.edu/~chindw
> https://plus.google.com/108169173177119739731/about
>
>
>
> On Fri, Jan 6, 2012 at 17:04, David Chin wrote:
>> Hello,
>>
>> I'm new to puppet, and am working through the Pro Puppet book
>> (Turnbull & McCune). After a bit of struggling, I managed to get
>> puppet + passenger + apache mostly working: a simple connect to the
>> server on https port 8140 gives "The environment must be purely
>> alphanumeric, not ''"
>>
>> Here is what I have running:
>> - RedHat Enterprise Linux 6
>> - httpd 2.2.15-15.el6
>> - puppet 2.7.9-1.el6
>> - puppet-server 2.7.9-1.el6
>> - mod_passenger 3.0.11-1.el6
>> - rubygem-rack 1.1.0-2.el6
>> - facter 1.6.4-1.el6
>>
>> I'm sanitizing data here by using "puppet.example.com" as the server
>> name.
>>
>> My /etc/puppet/puppet.conf has:
>> [main]
>> server = puppet.example.com
>>
>> On the puppet server, I am trying to test by doing: puppet agent --
>> verbose --debug --test
>>
>> I get the error message:
>>
>> err: Could not retrieve catalog from remote server: Error 400 on
>> SERVER: Permission denied - /var/lib/puppet/yaml/facts/
>> puppet.example.com.yaml
>> warning: Not using cache on failed catalog
>> err: Could not retrieve catalog; skipping run
>>
>> Permissions on /var/lib/puppet/yaml/facts:
>>
>> drwxr-x---. puppet puppet
>> unconfined_u:object_r:puppet_var_lib_t:s0 /var/lib/puppet/yaml/facts/
>>
>> I manually created the .yaml file by doing: facter -y > ${factsdir}/$
>> (facter fqdn).yaml
>>
>> Thanks in advance for any pointers.
>>
>> Cheers,
>> -- David Chin
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Error 400 on SERVER: Permission denied - /var/lib/puppet/yaml/facts/server.example.com.yaml
Turns out to be SELinux: httpd_t needs file write to puppet_var_lib_t.
Cheers,
Dave
--
David Chin, Ph.D.
chi...@wfu.edu High Performance Computing Systems Analyst
Office: +1.336.758.2964 Wake Forest University
Mobile: +1.336.608.0793 Winston-Salem, NC
Email-to-txt: 3366080...@mms.att.net Google Talk: chi...@wfu.edu
Web: http://www.wfu.edu/~chindw
https://plus.google.com/108169173177119739731/about
On Fri, Jan 6, 2012 at 17:04, David Chin wrote:
> Hello,
>
> I'm new to puppet, and am working through the Pro Puppet book
> (Turnbull & McCune). After a bit of struggling, I managed to get
> puppet + passenger + apache mostly working: a simple connect to the
> server on https port 8140 gives "The environment must be purely
> alphanumeric, not ''"
>
> Here is what I have running:
> - RedHat Enterprise Linux 6
> - httpd 2.2.15-15.el6
> - puppet 2.7.9-1.el6
> - puppet-server 2.7.9-1.el6
> - mod_passenger 3.0.11-1.el6
> - rubygem-rack 1.1.0-2.el6
> - facter 1.6.4-1.el6
>
> I'm sanitizing data here by using "puppet.example.com" as the server
> name.
>
> My /etc/puppet/puppet.conf has:
> [main]
> server = puppet.example.com
>
> On the puppet server, I am trying to test by doing: puppet agent --
> verbose --debug --test
>
> I get the error message:
>
> err: Could not retrieve catalog from remote server: Error 400 on
> SERVER: Permission denied - /var/lib/puppet/yaml/facts/
> puppet.example.com.yaml
> warning: Not using cache on failed catalog
> err: Could not retrieve catalog; skipping run
>
> Permissions on /var/lib/puppet/yaml/facts:
>
> drwxr-x---. puppet puppet
> unconfined_u:object_r:puppet_var_lib_t:s0 /var/lib/puppet/yaml/facts/
>
> I manually created the .yaml file by doing: facter -y > ${factsdir}/$
> (facter fqdn).yaml
>
> Thanks in advance for any pointers.
>
> Cheers,
> -- David Chin
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Error 400 on SERVER: Permission denied - /var/lib/puppet/yaml/facts/server.example.com.yaml
Hello,
I'm new to puppet, and am working through the Pro Puppet book
(Turnbull & McCune). After a bit of struggling, I managed to get
puppet + passenger + apache mostly working: a simple connect to the
server on https port 8140 gives "The environment must be purely
alphanumeric, not ''"
Here is what I have running:
- RedHat Enterprise Linux 6
- httpd 2.2.15-15.el6
- puppet 2.7.9-1.el6
- puppet-server 2.7.9-1.el6
- mod_passenger 3.0.11-1.el6
- rubygem-rack 1.1.0-2.el6
- facter 1.6.4-1.el6
I'm sanitizing data here by using "puppet.example.com" as the server
name.
My /etc/puppet/puppet.conf has:
[main]
server = puppet.example.com
On the puppet server, I am trying to test by doing: puppet agent --
verbose --debug --test
I get the error message:
err: Could not retrieve catalog from remote server: Error 400 on
SERVER: Permission denied - /var/lib/puppet/yaml/facts/
puppet.example.com.yaml
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
Permissions on /var/lib/puppet/yaml/facts:
drwxr-x---. puppet puppet
unconfined_u:object_r:puppet_var_lib_t:s0 /var/lib/puppet/yaml/facts/
I manually created the .yaml file by doing: facter -y > ${factsdir}/$
(facter fqdn).yaml
Thanks in advance for any pointers.
Cheers,
-- David Chin
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
