Puppet

Lawrence Ludwig wrote:

I have a 0.25.1 puppetmaster that works fine with 0.24.8 nodes. When I test with a 0.25.1 client, I get these errors with my existing puppet code.

Nov 4 14:43:35 devcentos5 puppetd[26099]: (//network-config::base/File [hosts]) Failed to retrieve current state of resource: Error 400 on SERVER: Not authorized to call find on /file_metadata/network-config/ hosts/hosts.devcentos5 Could not retrieve file metadata for puppet:///network-config/hosts/hosts.devcentos5: Error 400 on SERVER: Not authorized to call find on /file_metadata/network-config/hosts/ hosts.devcentos5 at /home/puppet/development/modules/dist/network- config/manifests/base.pp:73

Moreover the error message should be more clear: * is it because the request is forbidden? * or is it because we couldn’t find the module in the mount (which I suspect is the issue).

Can you for reference include the fileserver.conf file used, the relevant parts of your puppet.conf and the file resource at line 73 of base.pp?

fileserver.conf

[plugins]
allow 127.0.0.1/32
allow 192.168.10.0/24
allow 192.168.11.0/24
[modules]
allow 127.0.0.1/32
allow 192.168.10.0/24
allow 192.168.11.0/24

puppet.conf

[main]
vardir=/var/lib/puppet
logdir=/var/log/puppet
rundir=/var/run/puppet
ssldir=/var/lib/puppet/ssl

# plugin sync
pluginsync=true
factpath=/var/lib/puppet/lib/facter

# production
environment = production
modulepath = /home/puppet/production/modules
templatedir = /home/puppet/production/templates
manifestdir = /home/puppet/production/manifests
manifest = /home/puppet/production/manifests/site.pp

[development]
modulepath = /home/puppet/development/modules/site:/home/puppet/development/modules/dist
templatedir = /home/puppet/development/templates
manifestdir = /home/puppet/development/manifests
manifest = /home/puppet/development/manifests/site.pp

[testing]
modulepath = /home/puppet/testing/modules
templatedir = /home/puppet/testing/templates
manifestdir = /home/puppet/testing/manifests
manifest = /home/puppet/testing/manifests/site.pp

[puppetd]
classfile = /var/lib/puppet/classes.txt
localconfig = /var/lib/puppet/localconfig
report=true
listen=true
debug=true
verbose=true
catalog_format=marshal
bindaddress=
certname=
server=

[puppetmasterd]
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
environments=production
autosign=false
certname=
reports=store
node_terminus=ldap
ldapserver=
ldapport=636
ldapssl=true
ldaptls=false
ldapbase = 
ldapuser = 
ldappassword=

line 73 of base.pp

    # track hosts
    file { "hosts":
        name     => "/etc/hosts",
        ensure   => present,
        replace  => true,
        owner    => 'root',
        group    => 'root',
        mode     => '0444',
        source   => [
            "puppet:///network-config/hosts/hosts.${hostname}",
            "puppet:///network-config/hosts/hosts.${fqdn}",
            "puppet:///network-config/hosts.${l}",
            "puppet:///network-config/hosts.conf"
        ],
    }

I’ve also found that the error messages don’t usually specify when a failure is because a client isn’t authenticated. Could it be that the client’s certs are missing?

Luke Kanies wrote:

I’ve also found that the error messages don’t usually specify when a failure is because a client isn’t authenticated. Could it be that the client’s certs are missing?

Well it works with 0.24.8 and I don’t change the cert. If I downgrade back it starts working again. So the cert stays in place.

Luke Kanies wrote:

I’ve also found that the error messages don’t usually specify when a failure is because a client isn’t authenticated. Could it be that the client’s certs are missing?

As discussed in the pointed thread, I think we’re facing #2748, where a 0.25.1 client doesn’t use the same environment as a 0.24.8 client. The env 0.25.1 uses doesn’t contain the network-host module, hence the error.

I think we really need a distinct error message when the module or mount doesn’t exist.