[Puppet Users] Re: Puppet 0.25 migration
I used the example one from 0.25 - changed the hostname for the cert, and the path for the DocumentRoot/Directory. 2009/9/11 philipp Hanselmann philipp.hanselm...@gmail.com: Matt schrieb: For info - I removed passenger 2.2.5, installed 2.2.2 - rebuilt the passenger apache module, then removed all traces of puppet includes certs. Installed puppet 0.25 rpms, set up the config.ru and all worked. And the /etc/httpd/conf.d/puppet.conf ? Have you edited that file after the installation of 0.25 ? 2009/9/10 philipp Hanselmann philipp.hanselm...@gmail.com: philipp Hanselmann schrieb: I have similar issues with passenger 2.2.5. Now I am trying to downgrade passenger to 2.2.2 gem install passenger -v 2.2.2 This will install 2.2.2, but the passenger 2.2.5 remains installed? Than I noticed that the install process, still use 2.2.5! passenger-install-apache2-module So how can I remove passenger 2.2.5 ? Ok. I found it by myself .. gem uninstall passenger -v 2.2.5 Pete Emerson schrieb: Done. The issue is now posted here, and I added --trace to my puppetmasterd arguments to provide more info. http://projects.reductivelabs.com/issues/2620 Pete On Wed, Sep 9, 2009 at 4:29 PM, Luke Kanies l...@madstop.com wrote: Can you file this as a bug, and add all of this logging data to it? On Sep 9, 2009, at 3:58 PM, Pete Emerson wrote: I'm seeing this as well, and have some info that may be useful. For me the problem happens whether I use passenger-2.2.5, passenger-2.2.2, or the puppetmasterd daemon directly. I started with exactly the auth.conf from here: http://github.com/reductivelabs/puppet/blob/c2e26b9bb28ebcb8e07822015f99bd6a971b51c8/conf/auth.conf When I run the puppetmasterd in --no-daemon --debug mode, I see this when the client connects: info: access[^/catalog/([^/]+)$]: allowing 'method' find info: access[^/catalog/([^/]+)$]: allowing $1 access info: access[/certificate_revocation_list/ca]: allowing 'method' find info: access[/certificate_revocation_list/ca]: allowing * access info: access[/report]: allowing 'method' save info: access[/report]: allowing * access info: access[/file]: allowing * access info: access[/certificate/ca]: adding authentication no info: access[/certificate/ca]: allowing 'method' find info: access[/certificate/ca]: allowing * access info: access[/certificate/]: adding authentication no info: access[/certificate/]: allowing 'method' find info: access[/certificate/]: allowing * access info: access[/certificate_request]: adding authentication no info: access[/certificate_request]: allowing 'method' find info: access[/certificate_request]: allowing 'method' save info: access[/certificate_request]: allowing * access info: access[/]: adding authentication any info: access[^/catalog/([^/]+)$]: defaulting to no access for 01.admin.demo.nym1 warning: Denying access: Forbidden request: 01.admin.demo.nym1(my.ip.address.here) access to /catalog/01.admin.demo.nym1 [find] authenticated at line 52 err: Forbidden request: 01.admin.demo.nym1(my.ip.address.here) access to /catalog/01.admin.demo.nym1 [find] authenticated at line 52 Lines 51 through 54 of the auth.conf: # allow nodes to retrieve their own catalog (ie their configuration) path ~ ^/catalog/([^/]+)$ method find allow $1 When I change 'allow $1' to 'allow *', the client is able to connect and it successfully ran my manifest. If I change my allow line to 'allow fakesstringhere', I see this: info: access[^/catalog/([^/]+)$]: allowing fakestringhere access When I change it back to 'allow $1': info: access[^/catalog/([^/]+)$]: allowing $1 access It seems like the regex capture of (^[/]+) isn't being stored in $1, and $1 is being used literally instead of substituting in the value from the regex? In case versions are interesting, I'm using CentOS 5 with the rpms found at http://tmz.fedorapeople.org/repo/puppet/epel/5/x86_64/ puppet-0.25.0-0.4.el5.noarch puppet-server-0.25.0-0.4.el5.noarch ruby-1.8.5-5.el5_3.7.x86_64 ruby-augeas-0.3.0-1.el5.x86_64 ruby-devel-1.8.5-5.el5_3.7.x86_64 rubygems-1.3.1-1.el5.noarch ruby-irb-1.8.5-5.el5_3.7.x86_64 ruby-libs-1.8.5-5.el5_3.7.x86_64 ruby-rdoc-1.8.5-5.el5_3.7.x86_64 ruby-shadow-1.4.1-7.el5.x86_64 ruby gem info (although passenger is out of the mix): fastthread (1.0.7) passenger (2.2.2) rack (1.0.0) rake (0.8.7) Pete On Wed, Sep 9, 2009 at 11:30 AM, jrojas ja...@nothingbeatsaduck.com wrote: I am seeing this problem as well. Reverting from 2.2.5 to 2.2.2 did not help. On Sep 9, 9:12 am, Matt mattmora...@gmail.com wrote: Reverting back to the passenger 2.2.2 gem worked for me. 2009/9/8 Larry Ludwig la...@reductivelabs.com: hmm passenger 2.2.5 is released? hmm I'll have to test it out. -L -- Larry Ludwig Reductive Labs -- It is well to remember that the entire universe, with one trifling exception, is composed of others. --John
[Puppet Users] Re: Puppet 0.25 migration
On Sep 9, 8:30 pm, jrojas ja...@nothingbeatsaduck.com wrote: I am seeing this problem as well. Reverting from 2.2.5 to 2.2.2 did not help. I've now done some tests with 2.2.5 and did not find any obvious problems - so, if you are seeing a problem with 2.2.5, please try to reproduce it with webrick. If it persists, it's not a Passenger related bug. In any case please file bugs, but see #2516, #2517 and #2620 first. Thanks, Christian --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Puppet 0.25 migration
On Sep 12, 11:51 pm, Christian Hofstaedtler ch+...@zeha.at wrote: On Sep 9, 8:30 pm, jrojas ja...@nothingbeatsaduck.com wrote: I am seeing this problem as well. Reverting from 2.2.5 to 2.2.2 did not help. I've now done some tests with 2.2.5 and did not find any obvious problems - so, if you are seeing a problem with 2.2.5, please try to reproduce it with webrick. If it persists, it's not a Passenger related bug. In any case please file bugs, but see #2516, #2517 and #2620 first. Those bug numbers were wrong. Please check those: Bug #2617: Problem with certs upgrading puppetmaster to 0.25.0 Bug #2619: Fresh 0.25.0 client cannot 'authenticate' to 0.25.0 puppetmaster. Bug #2620: Regex problem in puppetmaster auth.conf Thanks, Christian --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Puppet 0.25 migration
Matt schrieb: For info - I removed passenger 2.2.5, installed 2.2.2 - rebuilt the passenger apache module, then removed all traces of puppet includes certs. Installed puppet 0.25 rpms, set up the config.ru and all worked. And the /etc/httpd/conf.d/puppet.conf ? Have you edited that file after the installation of 0.25 ? 2009/9/10 philipp Hanselmann philipp.hanselm...@gmail.com: philipp Hanselmann schrieb: I have similar issues with passenger 2.2.5. Now I am trying to downgrade passenger to 2.2.2 gem install passenger -v 2.2.2 This will install 2.2.2, but the passenger 2.2.5 remains installed? Than I noticed that the install process, still use 2.2.5! passenger-install-apache2-module So how can I remove passenger 2.2.5 ? Ok. I found it by myself .. gem uninstall passenger -v 2.2.5 Pete Emerson schrieb: Done. The issue is now posted here, and I added --trace to my puppetmasterd arguments to provide more info. http://projects.reductivelabs.com/issues/2620 Pete On Wed, Sep 9, 2009 at 4:29 PM, Luke Kanies l...@madstop.com wrote: Can you file this as a bug, and add all of this logging data to it? On Sep 9, 2009, at 3:58 PM, Pete Emerson wrote: I'm seeing this as well, and have some info that may be useful. For me the problem happens whether I use passenger-2.2.5, passenger-2.2.2, or the puppetmasterd daemon directly. I started with exactly the auth.conf from here: http://github.com/reductivelabs/puppet/blob/c2e26b9bb28ebcb8e07822015f99bd6a971b51c8/conf/auth.conf When I run the puppetmasterd in --no-daemon --debug mode, I see this when the client connects: info: access[^/catalog/([^/]+)$]: allowing 'method' find info: access[^/catalog/([^/]+)$]: allowing $1 access info: access[/certificate_revocation_list/ca]: allowing 'method' find info: access[/certificate_revocation_list/ca]: allowing * access info: access[/report]: allowing 'method' save info: access[/report]: allowing * access info: access[/file]: allowing * access info: access[/certificate/ca]: adding authentication no info: access[/certificate/ca]: allowing 'method' find info: access[/certificate/ca]: allowing * access info: access[/certificate/]: adding authentication no info: access[/certificate/]: allowing 'method' find info: access[/certificate/]: allowing * access info: access[/certificate_request]: adding authentication no info: access[/certificate_request]: allowing 'method' find info: access[/certificate_request]: allowing 'method' save info: access[/certificate_request]: allowing * access info: access[/]: adding authentication any info: access[^/catalog/([^/]+)$]: defaulting to no access for 01.admin.demo.nym1 warning: Denying access: Forbidden request: 01.admin.demo.nym1(my.ip.address.here) access to /catalog/01.admin.demo.nym1 [find] authenticated at line 52 err: Forbidden request: 01.admin.demo.nym1(my.ip.address.here) access to /catalog/01.admin.demo.nym1 [find] authenticated at line 52 Lines 51 through 54 of the auth.conf: # allow nodes to retrieve their own catalog (ie their configuration) path ~ ^/catalog/([^/]+)$ method find allow $1 When I change 'allow $1' to 'allow *', the client is able to connect and it successfully ran my manifest. If I change my allow line to 'allow fakesstringhere', I see this: info: access[^/catalog/([^/]+)$]: allowing fakestringhere access When I change it back to 'allow $1': info: access[^/catalog/([^/]+)$]: allowing $1 access It seems like the regex capture of (^[/]+) isn't being stored in $1, and $1 is being used literally instead of substituting in the value from the regex? In case versions are interesting, I'm using CentOS 5 with the rpms found at http://tmz.fedorapeople.org/repo/puppet/epel/5/x86_64/ puppet-0.25.0-0.4.el5.noarch puppet-server-0.25.0-0.4.el5.noarch ruby-1.8.5-5.el5_3.7.x86_64 ruby-augeas-0.3.0-1.el5.x86_64 ruby-devel-1.8.5-5.el5_3.7.x86_64 rubygems-1.3.1-1.el5.noarch ruby-irb-1.8.5-5.el5_3.7.x86_64 ruby-libs-1.8.5-5.el5_3.7.x86_64 ruby-rdoc-1.8.5-5.el5_3.7.x86_64 ruby-shadow-1.4.1-7.el5.x86_64 ruby gem info (although passenger is out of the mix): fastthread (1.0.7) passenger (2.2.2) rack (1.0.0) rake (0.8.7) Pete On Wed, Sep 9, 2009 at 11:30 AM, jrojas ja...@nothingbeatsaduck.com wrote: I am seeing this problem as well. Reverting from 2.2.5 to 2.2.2 did not help. On Sep 9, 9:12 am, Matt mattmora...@gmail.com wrote: Reverting back to the passenger 2.2.2 gem worked for me. 2009/9/8 Larry Ludwig la...@reductivelabs.com: hmm passenger 2.2.5 is released? hmm I'll have to test it out. -L -- Larry Ludwig Reductive Labs -- It is well to remember that the entire universe, with one trifling exception, is composed of others. --John Andrew Holmes
[Puppet Users] Re: Puppet 0.25 migration
I have similar issues with passenger 2.2.5. Now I am trying to downgrade passenger to 2.2.2 gem install passenger -v 2.2.2 This will install 2.2.2, but the passenger 2.2.5 remains installed? Than I noticed that the install process, still use 2.2.5! passenger-install-apache2-module So how can I remove passenger 2.2.5 ? Pete Emerson schrieb: Done. The issue is now posted here, and I added --trace to my puppetmasterd arguments to provide more info. http://projects.reductivelabs.com/issues/2620 Pete On Wed, Sep 9, 2009 at 4:29 PM, Luke Kanies l...@madstop.com wrote: Can you file this as a bug, and add all of this logging data to it? On Sep 9, 2009, at 3:58 PM, Pete Emerson wrote: I'm seeing this as well, and have some info that may be useful. For me the problem happens whether I use passenger-2.2.5, passenger-2.2.2, or the puppetmasterd daemon directly. I started with exactly the auth.conf from here: http://github.com/reductivelabs/puppet/blob/c2e26b9bb28ebcb8e07822015f99bd6a971b51c8/conf/auth.conf When I run the puppetmasterd in --no-daemon --debug mode, I see this when the client connects: info: access[^/catalog/([^/]+)$]: allowing 'method' find info: access[^/catalog/([^/]+)$]: allowing $1 access info: access[/certificate_revocation_list/ca]: allowing 'method' find info: access[/certificate_revocation_list/ca]: allowing * access info: access[/report]: allowing 'method' save info: access[/report]: allowing * access info: access[/file]: allowing * access info: access[/certificate/ca]: adding authentication no info: access[/certificate/ca]: allowing 'method' find info: access[/certificate/ca]: allowing * access info: access[/certificate/]: adding authentication no info: access[/certificate/]: allowing 'method' find info: access[/certificate/]: allowing * access info: access[/certificate_request]: adding authentication no info: access[/certificate_request]: allowing 'method' find info: access[/certificate_request]: allowing 'method' save info: access[/certificate_request]: allowing * access info: access[/]: adding authentication any info: access[^/catalog/([^/]+)$]: defaulting to no access for 01.admin.demo.nym1 warning: Denying access: Forbidden request: 01.admin.demo.nym1(my.ip.address.here) access to /catalog/01.admin.demo.nym1 [find] authenticated at line 52 err: Forbidden request: 01.admin.demo.nym1(my.ip.address.here) access to /catalog/01.admin.demo.nym1 [find] authenticated at line 52 Lines 51 through 54 of the auth.conf: # allow nodes to retrieve their own catalog (ie their configuration) path ~ ^/catalog/([^/]+)$ method find allow $1 When I change 'allow $1' to 'allow *', the client is able to connect and it successfully ran my manifest. If I change my allow line to 'allow fakesstringhere', I see this: info: access[^/catalog/([^/]+)$]: allowing fakestringhere access When I change it back to 'allow $1': info: access[^/catalog/([^/]+)$]: allowing $1 access It seems like the regex capture of (^[/]+) isn't being stored in $1, and $1 is being used literally instead of substituting in the value from the regex? In case versions are interesting, I'm using CentOS 5 with the rpms found at http://tmz.fedorapeople.org/repo/puppet/epel/5/x86_64/ puppet-0.25.0-0.4.el5.noarch puppet-server-0.25.0-0.4.el5.noarch ruby-1.8.5-5.el5_3.7.x86_64 ruby-augeas-0.3.0-1.el5.x86_64 ruby-devel-1.8.5-5.el5_3.7.x86_64 rubygems-1.3.1-1.el5.noarch ruby-irb-1.8.5-5.el5_3.7.x86_64 ruby-libs-1.8.5-5.el5_3.7.x86_64 ruby-rdoc-1.8.5-5.el5_3.7.x86_64 ruby-shadow-1.4.1-7.el5.x86_64 ruby gem info (although passenger is out of the mix): fastthread (1.0.7) passenger (2.2.2) rack (1.0.0) rake (0.8.7) Pete On Wed, Sep 9, 2009 at 11:30 AM, jrojas ja...@nothingbeatsaduck.com wrote: I am seeing this problem as well. Reverting from 2.2.5 to 2.2.2 did not help. On Sep 9, 9:12 am, Matt mattmora...@gmail.com wrote: Reverting back to the passenger 2.2.2 gem worked for me. 2009/9/8 Larry Ludwig la...@reductivelabs.com: hmm passenger 2.2.5 is released? hmm I'll have to test it out. -L -- Larry Ludwig Reductive Labs -- It is well to remember that the entire universe, with one trifling exception, is composed of others. --John Andrew Holmes - Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Puppet 0.25 migration
philipp Hanselmann schrieb: I have similar issues with passenger 2.2.5. Now I am trying to downgrade passenger to 2.2.2 gem install passenger -v 2.2.2 This will install 2.2.2, but the passenger 2.2.5 remains installed? Than I noticed that the install process, still use 2.2.5! passenger-install-apache2-module So how can I remove passenger 2.2.5 ? Ok. I found it by myself .. gem uninstall passenger -v 2.2.5 Pete Emerson schrieb: Done. The issue is now posted here, and I added --trace to my puppetmasterd arguments to provide more info. http://projects.reductivelabs.com/issues/2620 Pete On Wed, Sep 9, 2009 at 4:29 PM, Luke Kanies l...@madstop.com wrote: Can you file this as a bug, and add all of this logging data to it? On Sep 9, 2009, at 3:58 PM, Pete Emerson wrote: I'm seeing this as well, and have some info that may be useful. For me the problem happens whether I use passenger-2.2.5, passenger-2.2.2, or the puppetmasterd daemon directly. I started with exactly the auth.conf from here: http://github.com/reductivelabs/puppet/blob/c2e26b9bb28ebcb8e07822015f99bd6a971b51c8/conf/auth.conf When I run the puppetmasterd in --no-daemon --debug mode, I see this when the client connects: info: access[^/catalog/([^/]+)$]: allowing 'method' find info: access[^/catalog/([^/]+)$]: allowing $1 access info: access[/certificate_revocation_list/ca]: allowing 'method' find info: access[/certificate_revocation_list/ca]: allowing * access info: access[/report]: allowing 'method' save info: access[/report]: allowing * access info: access[/file]: allowing * access info: access[/certificate/ca]: adding authentication no info: access[/certificate/ca]: allowing 'method' find info: access[/certificate/ca]: allowing * access info: access[/certificate/]: adding authentication no info: access[/certificate/]: allowing 'method' find info: access[/certificate/]: allowing * access info: access[/certificate_request]: adding authentication no info: access[/certificate_request]: allowing 'method' find info: access[/certificate_request]: allowing 'method' save info: access[/certificate_request]: allowing * access info: access[/]: adding authentication any info: access[^/catalog/([^/]+)$]: defaulting to no access for 01.admin.demo.nym1 warning: Denying access: Forbidden request: 01.admin.demo.nym1(my.ip.address.here) access to /catalog/01.admin.demo.nym1 [find] authenticated at line 52 err: Forbidden request: 01.admin.demo.nym1(my.ip.address.here) access to /catalog/01.admin.demo.nym1 [find] authenticated at line 52 Lines 51 through 54 of the auth.conf: # allow nodes to retrieve their own catalog (ie their configuration) path ~ ^/catalog/([^/]+)$ method find allow $1 When I change 'allow $1' to 'allow *', the client is able to connect and it successfully ran my manifest. If I change my allow line to 'allow fakesstringhere', I see this: info: access[^/catalog/([^/]+)$]: allowing fakestringhere access When I change it back to 'allow $1': info: access[^/catalog/([^/]+)$]: allowing $1 access It seems like the regex capture of (^[/]+) isn't being stored in $1, and $1 is being used literally instead of substituting in the value from the regex? In case versions are interesting, I'm using CentOS 5 with the rpms found at http://tmz.fedorapeople.org/repo/puppet/epel/5/x86_64/ puppet-0.25.0-0.4.el5.noarch puppet-server-0.25.0-0.4.el5.noarch ruby-1.8.5-5.el5_3.7.x86_64 ruby-augeas-0.3.0-1.el5.x86_64 ruby-devel-1.8.5-5.el5_3.7.x86_64 rubygems-1.3.1-1.el5.noarch ruby-irb-1.8.5-5.el5_3.7.x86_64 ruby-libs-1.8.5-5.el5_3.7.x86_64 ruby-rdoc-1.8.5-5.el5_3.7.x86_64 ruby-shadow-1.4.1-7.el5.x86_64 ruby gem info (although passenger is out of the mix): fastthread (1.0.7) passenger (2.2.2) rack (1.0.0) rake (0.8.7) Pete On Wed, Sep 9, 2009 at 11:30 AM, jrojas ja...@nothingbeatsaduck.com wrote: I am seeing this problem as well. Reverting from 2.2.5 to 2.2.2 did not help. On Sep 9, 9:12 am, Matt mattmora...@gmail.com wrote: Reverting back to the passenger 2.2.2 gem worked for me. 2009/9/8 Larry Ludwig la...@reductivelabs.com: hmm passenger 2.2.5 is released? hmm I'll have to test it out. -L -- Larry Ludwig Reductive Labs -- It is well to remember that the entire universe, with one trifling exception, is composed of others. --John Andrew Holmes - Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at
[Puppet Users] Re: Puppet 0.25 migration
For info - I removed passenger 2.2.5, installed 2.2.2 - rebuilt the passenger apache module, then removed all traces of puppet includes certs. Installed puppet 0.25 rpms, set up the config.ru and all worked. 2009/9/10 philipp Hanselmann philipp.hanselm...@gmail.com: philipp Hanselmann schrieb: I have similar issues with passenger 2.2.5. Now I am trying to downgrade passenger to 2.2.2 gem install passenger -v 2.2.2 This will install 2.2.2, but the passenger 2.2.5 remains installed? Than I noticed that the install process, still use 2.2.5! passenger-install-apache2-module So how can I remove passenger 2.2.5 ? Ok. I found it by myself .. gem uninstall passenger -v 2.2.5 Pete Emerson schrieb: Done. The issue is now posted here, and I added --trace to my puppetmasterd arguments to provide more info. http://projects.reductivelabs.com/issues/2620 Pete On Wed, Sep 9, 2009 at 4:29 PM, Luke Kanies l...@madstop.com wrote: Can you file this as a bug, and add all of this logging data to it? On Sep 9, 2009, at 3:58 PM, Pete Emerson wrote: I'm seeing this as well, and have some info that may be useful. For me the problem happens whether I use passenger-2.2.5, passenger-2.2.2, or the puppetmasterd daemon directly. I started with exactly the auth.conf from here: http://github.com/reductivelabs/puppet/blob/c2e26b9bb28ebcb8e07822015f99bd6a971b51c8/conf/auth.conf When I run the puppetmasterd in --no-daemon --debug mode, I see this when the client connects: info: access[^/catalog/([^/]+)$]: allowing 'method' find info: access[^/catalog/([^/]+)$]: allowing $1 access info: access[/certificate_revocation_list/ca]: allowing 'method' find info: access[/certificate_revocation_list/ca]: allowing * access info: access[/report]: allowing 'method' save info: access[/report]: allowing * access info: access[/file]: allowing * access info: access[/certificate/ca]: adding authentication no info: access[/certificate/ca]: allowing 'method' find info: access[/certificate/ca]: allowing * access info: access[/certificate/]: adding authentication no info: access[/certificate/]: allowing 'method' find info: access[/certificate/]: allowing * access info: access[/certificate_request]: adding authentication no info: access[/certificate_request]: allowing 'method' find info: access[/certificate_request]: allowing 'method' save info: access[/certificate_request]: allowing * access info: access[/]: adding authentication any info: access[^/catalog/([^/]+)$]: defaulting to no access for 01.admin.demo.nym1 warning: Denying access: Forbidden request: 01.admin.demo.nym1(my.ip.address.here) access to /catalog/01.admin.demo.nym1 [find] authenticated at line 52 err: Forbidden request: 01.admin.demo.nym1(my.ip.address.here) access to /catalog/01.admin.demo.nym1 [find] authenticated at line 52 Lines 51 through 54 of the auth.conf: # allow nodes to retrieve their own catalog (ie their configuration) path ~ ^/catalog/([^/]+)$ method find allow $1 When I change 'allow $1' to 'allow *', the client is able to connect and it successfully ran my manifest. If I change my allow line to 'allow fakesstringhere', I see this: info: access[^/catalog/([^/]+)$]: allowing fakestringhere access When I change it back to 'allow $1': info: access[^/catalog/([^/]+)$]: allowing $1 access It seems like the regex capture of (^[/]+) isn't being stored in $1, and $1 is being used literally instead of substituting in the value from the regex? In case versions are interesting, I'm using CentOS 5 with the rpms found at http://tmz.fedorapeople.org/repo/puppet/epel/5/x86_64/ puppet-0.25.0-0.4.el5.noarch puppet-server-0.25.0-0.4.el5.noarch ruby-1.8.5-5.el5_3.7.x86_64 ruby-augeas-0.3.0-1.el5.x86_64 ruby-devel-1.8.5-5.el5_3.7.x86_64 rubygems-1.3.1-1.el5.noarch ruby-irb-1.8.5-5.el5_3.7.x86_64 ruby-libs-1.8.5-5.el5_3.7.x86_64 ruby-rdoc-1.8.5-5.el5_3.7.x86_64 ruby-shadow-1.4.1-7.el5.x86_64 ruby gem info (although passenger is out of the mix): fastthread (1.0.7) passenger (2.2.2) rack (1.0.0) rake (0.8.7) Pete On Wed, Sep 9, 2009 at 11:30 AM, jrojas ja...@nothingbeatsaduck.com wrote: I am seeing this problem as well. Reverting from 2.2.5 to 2.2.2 did not help. On Sep 9, 9:12 am, Matt mattmora...@gmail.com wrote: Reverting back to the passenger 2.2.2 gem worked for me. 2009/9/8 Larry Ludwig la...@reductivelabs.com: hmm passenger 2.2.5 is released? hmm I'll have to test it out. -L -- Larry Ludwig Reductive Labs -- It is well to remember that the entire universe, with one trifling exception, is composed of others. --John Andrew Holmes - Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group.
[Puppet Users] Re: Puppet 0.25 migration
Reverting back to the passenger 2.2.2 gem worked for me. 2009/9/8 Larry Ludwig la...@reductivelabs.com: hmm passenger 2.2.5 is released? hmm I'll have to test it out. -L -- Larry Ludwig Reductive Labs --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Puppet 0.25 migration
I am seeing this problem as well. Reverting from 2.2.5 to 2.2.2 did not help. On Sep 9, 9:12 am, Matt mattmora...@gmail.com wrote: Reverting back to the passenger 2.2.2 gem worked for me. 2009/9/8 Larry Ludwig la...@reductivelabs.com: hmm passenger 2.2.5 is released? hmm I'll have to test it out. -L -- Larry Ludwig Reductive Labs --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Puppet 0.25 migration
I'm seeing this as well, and have some info that may be useful. For me the problem happens whether I use passenger-2.2.5, passenger-2.2.2, or the puppetmasterd daemon directly. I started with exactly the auth.conf from here: http://github.com/reductivelabs/puppet/blob/c2e26b9bb28ebcb8e07822015f99bd6a971b51c8/conf/auth.conf When I run the puppetmasterd in --no-daemon --debug mode, I see this when the client connects: info: access[^/catalog/([^/]+)$]: allowing 'method' find info: access[^/catalog/([^/]+)$]: allowing $1 access info: access[/certificate_revocation_list/ca]: allowing 'method' find info: access[/certificate_revocation_list/ca]: allowing * access info: access[/report]: allowing 'method' save info: access[/report]: allowing * access info: access[/file]: allowing * access info: access[/certificate/ca]: adding authentication no info: access[/certificate/ca]: allowing 'method' find info: access[/certificate/ca]: allowing * access info: access[/certificate/]: adding authentication no info: access[/certificate/]: allowing 'method' find info: access[/certificate/]: allowing * access info: access[/certificate_request]: adding authentication no info: access[/certificate_request]: allowing 'method' find info: access[/certificate_request]: allowing 'method' save info: access[/certificate_request]: allowing * access info: access[/]: adding authentication any info: access[^/catalog/([^/]+)$]: defaulting to no access for 01.admin.demo.nym1 warning: Denying access: Forbidden request: 01.admin.demo.nym1(my.ip.address.here) access to /catalog/01.admin.demo.nym1 [find] authenticated at line 52 err: Forbidden request: 01.admin.demo.nym1(my.ip.address.here) access to /catalog/01.admin.demo.nym1 [find] authenticated at line 52 Lines 51 through 54 of the auth.conf: # allow nodes to retrieve their own catalog (ie their configuration) path ~ ^/catalog/([^/]+)$ method find allow $1 When I change 'allow $1' to 'allow *', the client is able to connect and it successfully ran my manifest. If I change my allow line to 'allow fakesstringhere', I see this: info: access[^/catalog/([^/]+)$]: allowing fakestringhere access When I change it back to 'allow $1': info: access[^/catalog/([^/]+)$]: allowing $1 access It seems like the regex capture of (^[/]+) isn't being stored in $1, and $1 is being used literally instead of substituting in the value from the regex? In case versions are interesting, I'm using CentOS 5 with the rpms found at http://tmz.fedorapeople.org/repo/puppet/epel/5/x86_64/ puppet-0.25.0-0.4.el5.noarch puppet-server-0.25.0-0.4.el5.noarch ruby-1.8.5-5.el5_3.7.x86_64 ruby-augeas-0.3.0-1.el5.x86_64 ruby-devel-1.8.5-5.el5_3.7.x86_64 rubygems-1.3.1-1.el5.noarch ruby-irb-1.8.5-5.el5_3.7.x86_64 ruby-libs-1.8.5-5.el5_3.7.x86_64 ruby-rdoc-1.8.5-5.el5_3.7.x86_64 ruby-shadow-1.4.1-7.el5.x86_64 ruby gem info (although passenger is out of the mix): fastthread (1.0.7) passenger (2.2.2) rack (1.0.0) rake (0.8.7) Pete On Wed, Sep 9, 2009 at 11:30 AM, jrojas ja...@nothingbeatsaduck.com wrote: I am seeing this problem as well. Reverting from 2.2.5 to 2.2.2 did not help. On Sep 9, 9:12 am, Matt mattmora...@gmail.com wrote: Reverting back to the passenger 2.2.2 gem worked for me. 2009/9/8 Larry Ludwig la...@reductivelabs.com: hmm passenger 2.2.5 is released? hmm I'll have to test it out. -L -- Larry Ludwig Reductive Labs --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Puppet 0.25 migration
Noticed I was running passenger 2.2.3 (which did work for 0.24) so I upgraded to 2.2.5. After restarting one of my 0.25 nodes started working, but the other one still gets: warning: peer certificate won't be verified in this SSL session /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:55:in `deserialize': Error 403 on SERVER: Forbidden (Net::HTTPError) from /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in `find' In the master logs I get a strange error Sep 8 16:20:52 s_lo...@sl01 puppetmasterd[3581]: Denying access: Forbidden request: sl03.temp.local(192.168.1.110) access to /certificate/ca [find] authenticated at line 0 Sep 8 16:20:52 s_lo...@sl01 puppetmasterd[3581]: Forbidden request: sl03.temp.local(192.168.1.110) access to /certificate/ca [find] authenticated at line 0 What's strange is that the DNS name it's quoting is not the DNS for that IP. 2009/9/8 Matt mattmora...@gmail.com: I'm currently upgrading our puppetmaster to 0.25, at first just using the standard webrick install to get the modules working. Both my new 0.25 clients and existing 0.24 clients had no problem connecting. I've now changed the puppetmaster over to run under passenger, my 0.24 clients are still connecting, but my 0.25 clients are now getting: err: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run Do I need to clean all the ssl's of the 0.25 clients? Thanks, Matt --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Puppet 0.25 migration
I'm going to start a fresh with the puppetmaster install :-) 2009/9/8 Matt mattmora...@gmail.com: Noticed I was running passenger 2.2.3 (which did work for 0.24) so I upgraded to 2.2.5. After restarting one of my 0.25 nodes started working, but the other one still gets: warning: peer certificate won't be verified in this SSL session /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:55:in `deserialize': Error 403 on SERVER: Forbidden (Net::HTTPError) from /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in `find' In the master logs I get a strange error Sep 8 16:20:52 s_lo...@sl01 puppetmasterd[3581]: Denying access: Forbidden request: sl03.temp.local(192.168.1.110) access to /certificate/ca [find] authenticated at line 0 Sep 8 16:20:52 s_lo...@sl01 puppetmasterd[3581]: Forbidden request: sl03.temp.local(192.168.1.110) access to /certificate/ca [find] authenticated at line 0 What's strange is that the DNS name it's quoting is not the DNS for that IP. 2009/9/8 Matt mattmora...@gmail.com: I'm currently upgrading our puppetmaster to 0.25, at first just using the standard webrick install to get the modules working. Both my new 0.25 clients and existing 0.24 clients had no problem connecting. I've now changed the puppetmaster over to run under passenger, my 0.24 clients are still connecting, but my 0.25 clients are now getting: err: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run Do I need to clean all the ssl's of the 0.25 clients? Thanks, Matt --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Puppet 0.25 migration
AFAIK this is the result of a known bug in Passenger 2.2.3 and newer. ext/rack/README states: *** Important note about Passenger versions: 2.2.2 is known to work. 2.2.3-2.2.4 are known to *NOT* work. 2.2.5 (when it is released) is expected to work properly again. You should probably downgrade to 2.2.2, and if that works you might try upgrading to 2.2.5 and see if that works. If it does (or not), please report back :) Christian --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
[Puppet Users] Re: Puppet 0.25 migration
hmm passenger 2.2.5 is released? hmm I'll have to test it out. -L -- Larry Ludwig Reductive Labs --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~--~~~~--~~--~--~---
