The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using https://tickets.puppetlabs.com. See the following page for information on filing tickets with JIRA:

Bug #14609

Wrong ssldir used when using 3.0rc1 packages under passenger

Added by Erik Dalén almost 4 years ago. Updated almost 4 years ago.

Status:ClosedStart date:05/21/2012
Priority:HighDue date:
Assignee:Chris Price% Done:

0%

Category:-
Target version:3.0.0
Affected Puppet version: Branch:https://github.com/puppetlabs/puppet/pull/807
Keywords:

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com


Description

I tried upgrading one of my puppetmasters from 2.7.13 to 3.0.0rc1 using the packages from apt.puppetlabs.com. The server is using debian squeeze.

Here is relevant parts of the puppet.conf:

[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
templatedir=$confdir/templates
postrun_command=/etc/puppet/postrun
pluginsync=true
[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
ssldir= $vardir/ssl-master { owner = service, group = root, mode = 771 }

puppet master —configprint ssldir prints: /var/lib/puppet/ssl-master

When I run it under webrick everything works. But under passenger (with the config that worked with 2.7.13) I get the following backtrace:

Ruby (Rack) application could not be started
The application has exited during startup (i.e. during the evaluation of config/environment.rb). The error message may have been written to the web server's log file. Please check the web server's log file (i.e. not the (Rails) application's log file) to find out why the application exited.
If that doesn't help, then please use the backtrace below to debug the problem.
Application root:
/usr/share/puppet/rack/puppetmasterd
Backtrace:
#   File    Line    Location
0   /usr/lib/ruby/1.8/puppet/util.rb    543 in `exit'
1   /usr/lib/ruby/1.8/puppet/util.rb    543 in `exit_on_fail'
2   /usr/lib/ruby/1.8/puppet/application.rb 340 in `run'
3   config.ru   16  
4   /usr/lib/ruby/1.8/rack/builder.rb   46  in `instance_eval'
5   /usr/lib/ruby/1.8/rack/builder.rb   46  in `initialize'
6   config.ru   1   in `new'
7   config.ru   1

And this in /var/log/daemon.log:

2012-05-21T16:54:05.000+00:00 majlis.int.sto.spotify.net puppet-master[22870]: Could not set 'directory' on ensure: Permission denied - /etc/puppet/ssl
2012-05-21T16:54:05.000+00:00 majlis.int.sto.spotify.net puppet-master[22870]: Could not set 'directory' on ensure: Permission denied - /etc/puppet/ssl
2012-05-21T16:54:05.000+00:00 majlis.int.sto.spotify.net puppet-master[22870]: Wrapped exception:
2012-05-21T16:54:05.000+00:00 majlis.int.sto.spotify.net puppet-master[22870]: Permission denied - /etc/puppet/ssl
2012-05-21T16:54:05.000+00:00 majlis.int.sto.spotify.net puppet-master[22870]: (/File[/etc/puppet/ssl]/ensure) change from absent to directory failed: Could not set 'directory' on ensure: Permission denied - /etc/puppet/ssl
2012-05-21T16:54:05.000+00:00 majlis.int.sto.spotify.net puppet-master[22870]: (/File[/etc/puppet/ssl/private_keys]) Dependency File[/etc/puppet/ssl] has failures: true
2012-05-21T16:54:05.000+00:00 majlis.int.sto.spotify.net puppet-master[22870]: (/File[/etc/puppet/ssl/private_keys]) Skipping because of failed dependencies
2012-05-21T16:54:05.000+00:00 majlis.int.sto.spotify.net puppet-master[22870]: (/File[/etc/puppet/ssl/public_keys]) Dependency File[/etc/puppet/ssl] has failures: true
2012-05-21T16:54:05.000+00:00 majlis.int.sto.spotify.net puppet-master[22870]: (/File[/etc/puppet/ssl/public_keys]) Skipping because of failed dependencies
2012-05-21T16:54:05.000+00:00 majlis.int.sto.spotify.net puppet-master[22870]: (/File[/etc/puppet/ssl/certs]) Dependency File[/etc/puppet/ssl] has failures: true
2012-05-21T16:54:05.000+00:00 majlis.int.sto.spotify.net puppet-master[22870]: (/File[/etc/puppet/ssl/certs]) Skipping because of failed dependencies
2012-05-21T16:54:05.000+00:00 majlis.int.sto.spotify.net puppet-master[22870]: (/File[/etc/puppet/ssl/private]) Dependency File[/etc/puppet/ssl] has failures: true
2012-05-21T16:54:05.000+00:00 majlis.int.sto.spotify.net puppet-master[22870]: (/File[/etc/puppet/ssl/private]) Skipping because of failed dependencies
2012-05-21T16:54:05.000+00:00 majlis.int.sto.spotify.net puppet-master[22870]: (/File[/etc/puppet/ssl/certificate_requests]) Dependency File[/etc/puppet/ssl] has failures: true
2012-05-21T16:54:05.000+00:00 majlis.int.sto.spotify.net puppet-master[22870]: (/File[/etc/puppet/ssl/certificate_requests]) Skipping because of failed dependencies
2012-05-21T16:54:05.000+00:00 majlis.int.sto.spotify.net puppet-master[22870]: Could not prepare for execution: Got 3 failure(s) while initializing: Could not set 'directory' on ensure: Permission denied - /etc/puppet/ssl; Could not set 'directory' on ensure: Permission denied - /etc/puppet/ssl
2012-05-21T16:54:05.000+00:00 majlis.int.sto.spotify.net puppet-master[22870]: Wrapped exception:
2012-05-21T16:54:05.000+00:00 majlis.int.sto.spotify.net puppet-master[22870]: Permission denied - /etc/puppet/ssl; change from absent to directory failed: Could not set 'directory' on ensure: Permission denied - /etc/puppet/ssl
2012-05-21T16:54:06.000+00:00 majlis.int.sto.spotify.net puppet-master[22890]: Could not set 'directory' on ensure: Permission denied - /etc/puppet/ssl
2012-05-21T16:54:06.000+00:00 majlis.int.sto.spotify.net puppet-master[22890]: Could not set 'directory' on ensure: Permission denied - /etc/puppet/ssl
2012-05-21T16:54:06.000+00:00 majlis.int.sto.spotify.net puppet-master[22890]: Wrapped exception:
2012-05-21T16:54:06.000+00:00 majlis.int.sto.spotify.net puppet-master[22890]: Permission denied - /etc/puppet/ssl
2012-05-21T16:54:06.000+00:00 majlis.int.sto.spotify.net puppet-master[22890]: (/File[/etc/puppet/ssl]/ensure) change from absent to directory failed: Could not set 'directory' on ensure: Permission denied - /etc/puppet/ssl
2012-05-21T16:54:06.000+00:00 majlis.int.sto.spotify.net puppet-master[22890]: (/File[/etc/puppet/ssl/private_keys]) Dependency File[/etc/puppet/ssl] has failures: true
2012-05-21T16:54:06.000+00:00 majlis.int.sto.spotify.net puppet-master[22890]: (/File[/etc/puppet/ssl/private_keys]) Skipping because of failed dependencies
2012-05-21T16:54:06.000+00:00 majlis.int.sto.spotify.net puppet-master[22890]: (/File[/etc/puppet/ssl/public_keys]) Dependency File[/etc/puppet/ssl] has failures: true
2012-05-21T16:54:06.000+00:00 majlis.int.sto.spotify.net puppet-master[22890]: (/File[/etc/puppet/ssl/public_keys]) Skipping because of failed dependencies
2012-05-21T16:54:06.000+00:00 majlis.int.sto.spotify.net puppet-master[22890]: (/File[/etc/puppet/ssl/certs]) Dependency File[/etc/puppet/ssl] has failures: true
2012-05-21T16:54:06.000+00:00 majlis.int.sto.spotify.net puppet-master[22890]: (/File[/etc/puppet/ssl/certs]) Skipping because of failed dependencies
2012-05-21T16:54:06.000+00:00 majlis.int.sto.spotify.net puppet-master[22890]: (/File[/etc/puppet/ssl/private]) Dependency File[/etc/puppet/ssl] has failures: true
2012-05-21T16:54:06.000+00:00 majlis.int.sto.spotify.net puppet-master[22890]: (/File[/etc/puppet/ssl/private]) Skipping because of failed dependencies
2012-05-21T16:54:06.000+00:00 majlis.int.sto.spotify.net puppet-master[22890]: (/File[/etc/puppet/ssl/certificate_requests]) Dependency File[/etc/puppet/ssl] has failures: true
2012-05-21T16:54:06.000+00:00 majlis.int.sto.spotify.net puppet-master[22890]: (/File[/etc/puppet/ssl/certificate_requests]) Skipping because of failed dependencies
2012-05-21T16:54:06.000+00:00 majlis.int.sto.spotify.net puppet-master[22890]: Could not prepare for execution: Got 3 failure(s) while initializing: Could not set 'directory' on ensure: Permission denied - /etc/puppet/ssl; Could not set 'directory' on ensure: Permission denied - /etc/puppet/ssl
2012-05-21T16:54:06.000+00:00 majlis.int.sto.spotify.net puppet-master[22890]: Wrapped exception:
2012-05-21T16:54:06.000+00:00 majlis.int.sto.spotify.net puppet-master[22890]: Permission denied - /etc/puppet/ssl; change from absent to directory failed: Could not set 'directory' on ensure: Permission denied - /etc/puppet/ssl

Related issues

Related to Puppet - Bug #16637: Puppet confdir and vardir are wrong when running non-root Closed 09/29/2012

History

#1 Updated by Matthaus Owens almost 4 years ago

  • Status changed from Unreviewed to Accepted
  • Priority changed from Normal to High

Verified (on lucid amd64). This seems to be related to how puppet is looking up ssldir. With ssldir=/var/lib/puppet/ssl in both the [main] and [master] sections, the passenger master is still reporting looking in /etc/puppet/ssl, which is the default value in defaults.rb (“$confdir/ssl”). Both puppet master --configprint ssldir, puppet agent --configprint ssldir, and puppet config print ssldir all return /var/lib/puppet/ssl

#2 Updated by Matthaus Owens almost 4 years ago

  • Project changed from Puppet Community Package Repository to Puppet

This doesn’t appear to be packaging related.

#3 Updated by Chris Price almost 4 years ago

  • Assignee set to Chris Price
  • Target version set to 3.0.0

Per Haus:

Reproduction is easy. Add apt.puppetlabs.com devel repos, install puppetmaster-passenger, try an agent run.

#4 Updated by Erik Dalén almost 4 years ago

If I symlink in the ssldir it starts but clients fails with errors about requests being denied. So I suspect it doesn’t read auth.conf either under passenger.

#5 Updated by Chris Price almost 4 years ago

I am successfully repro-ing this now… will update the ticket as things progress.

#6 Updated by Chris Price almost 4 years ago

A note for future puppet devs: easiest way to get useful trace information out of this setup is to edit /usr/lib/ruby/1.8/puppet/defaults.rb and set the default value for :trace to true. Now that I’ve done that I’m getting some useful stack traces to dig into.

#7 Updated by Chris Price almost 4 years ago

Alright… I think I’ve narrowed this down a bit. There are some settings initialization steps that happen in application.rb that don’t seem to be getting triggered when we launch via passenger. Investigating how to get calls to those in place.

#8 Updated by Chris Price almost 4 years ago

I believe I have a fix for this here:

https://github.com/cprice-puppet/puppet/commit/0cea47ec90e77e81c27ffbedbd46bb5357a45d66

Would like to test it a bit before submitting a pull request. Will check in with Haus for help on how best to do that.

Meanwhile, Erik, the change only affects one file so if you have any interest in trying it out in your environment it should be pretty easy to patch it in by hand.

Thanks a ton for reporting this issue! Very good for us to be catching this now, before the official release.

#9 Updated by Erik Dalén almost 4 years ago

Thanks, that seems to fix it for me. Very limited testing so far though.

#10 Updated by Chris Price almost 4 years ago

  • Status changed from Accepted to In Topic Branch Pending Review
  • Branch set to https://github.com/puppetlabs/puppet/pull/807

Thanks, Erik. Matthaus and I have tested successfully on local VMs. He also built some debs, and they seem to work for both of us as well.

#11 Updated by Matthaus Owens almost 4 years ago

  • Status changed from In Topic Branch Pending Review to Merged - Pending Release

#12 Updated by Matthaus Owens almost 4 years ago

  • Status changed from Merged - Pending Release to Closed

Released in Puppet 3.0.0rc2

Also available in: Atom PDF