Connection to foreman:8140/puppet-ca/v1 failed

tedevil · April 11, 2022, 4:30pm

Just deployed Foreman 3.2/Katello 4.4 on Almalinux 8.5 and everything seems to be working fine but noticed the these messages coming in the /var/log/messages every two minutes:

Apr 11 16:09:09 foreman puppet-agent[1284]: Connection to https://foreman.example.com:8140/puppet-ca/v1 failed, trying next route: Request to https://foreman.example.com:8140/puppet-ca/v1 failed after 0.002 seconds: Failed to open TCP connection to foreman.example.com:8140 (Connection refused - connect(2) for "foreman.example.com" port 8140)
Apr 11 16:09:09 foreman puppet-agent[1284]: Wrapped exception:
Apr 11 16:09:09 foreman puppet-agent[1284]: Failed to open TCP connection to foreman.example.com:8140 (Connection refused - connect(2) for "foreman.example.com" port 8140)
Apr 11 16:09:09 foreman puppet-agent[1284]: No more routes to ca

I have no service listening on port 8140:

[root@foreman log]# netstat -l -n
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:9090            0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:199           0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
tcp6       0      0 :::9090                 :::*                    LISTEN
tcp6       0      0 127.0.0.1:8005          :::*                    LISTEN
tcp6       0      0 127.0.0.1:61613         :::*                    LISTEN
tcp6       0      0 :::80                   :::*                    LISTEN
tcp6       0      0 127.0.0.1:23443         :::*                    LISTEN
tcp6       0      0 :::22                   :::*                    LISTEN
tcp6       0      0 ::1:5432                :::*                    LISTEN
tcp6       0      0 :::443                  :::*                    LISTEN
udp        0      0 0.0.0.0:161             0.0.0.0:*
udp        0      0 127.0.0.1:323           0.0.0.0:*
udp6       0      0 ::1:323                 :::*

What is going on here?

Installed foreman with:
foreman-installer --scenario katello --foreman-initial-organization "example" --foreman-initial-location "xxxxxx" --foreman-initial-admin-username admin --foreman-initial-admin-password xxxxxx --enable-foreman-plugin-openscap --enable-foreman-proxy-plugin-openscap --enable-foreman-plugin-ansible --enable-foreman-proxy-plugin-ansible --enable-foreman-plugin-remote-execution --enable-foreman-proxy-plugin-remote-execution-ssh

tedevil · April 12, 2022, 7:47am

So it seems this is the Puppet agent trying to connect internally to what I assume is a puppet master?

[root@foreman ~]# systemctl restart puppet
[root@foreman ~]# systemctl status puppet
● puppet.service - Puppet agent
   Loaded: loaded (/usr/lib/systemd/system/puppet.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2022-04-12 07:31:25 UTC; 5s ago
 Main PID: 18691 (puppet)
    Tasks: 1 (limit: 102320)
   Memory: 52.6M
   CGroup: /system.slice/puppet.service
           └─18691 /opt/puppetlabs/puppet/bin/ruby /opt/puppetlabs/puppet/bin/puppet agent --no-daemonize

Apr 12 07:31:25 foreman.example.com systemd[1]: Started Puppet agent.
Apr 12 07:31:26 foreman.example.com puppet-agent[18691]: Connection to https://foreman.example.com:8140/puppet-ca/v1 failed, trying next route: Reques>
Apr 12 07:31:26 foreman.example.com puppet-agent[18691]: Wrapped exception:
Apr 12 07:31:26 foreman.example.com puppet-agent[18691]: Failed to open TCP connection to foreman.example.com:8140 (Connection refused - connect(2) fo>
Apr 12 07:31:26 foreman.example.com puppet-agent[18691]: No more routes to ca

[root@foreman ~]# more /usr/lib/firewalld/services/puppetmaster.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Puppet Master</short>
  <description>Puppet is a network tool for managing many disparate systems. Puppet Master is a server which Puppet Agents pull their configurations from.</descrip
tion>
  <port protocol="tcp" port="8140"/>
</service>

Looking at the choices during installation there are some puppet choices but they are all false as default and I never selected them:

--[no-]enable-foreman-plugin-puppet Enable 'foreman_plugin_puppet' puppet module (default: false)
--[no-]enable-foreman-plugin-puppetdb Enable 'foreman_plugin_puppetdb' puppet module (default: false)
--[no-]enable-puppet Enable 'puppet' puppet module (default: false)

Are they needed? Can I safely disable the puppet agent service?

tedevil · April 12, 2022, 10:57am

These are the puppet packages install my the installed on both the Foreman server and my external proxy:

[root@foreman ~]# rpm -qa| grep puppet
puppet7-release-7.0.0-2.el8.noarch
puppet-agent-oauth-0.5.5-1.el8.noarch
puppet-agent-7.15.0-1.el8.x86_64

[root@foremanproxy ~]# rpm -qa| grep puppet
puppet7-release-7.0.0-2.el8.noarch
puppet-agent-oauth-0.5.5-1.el8.noarch
puppet-agent-7.15.0-1.el8.x86_64

On the foreman server the puppet agent service in enabled, on the proxy it is disabled.
I have no need for puppet unless Foreman or any of its enabled components needs it?

tedevil · April 13, 2022, 3:25pm

No response from the forum so I guess I will try and just disable the puppet agent service on the foreman server with:
systemctl stop puppet
systemctl disable puppet

Hopefully it will not break anything.
If it does not break anything and the service is not actually needed, makes me wonder why it was started and even installed in the first place.

ezr-ondrej · April 20, 2022, 8:47am

Hi, sorry it took a while

It is safe to disable the puppet-agent, it is not required. The error is some missconfiguration on our part, the ability to disable puppet plugins on installation is quite fresh, so we just need to adjust the agent config if puppet is disabled

We will try to deal with that, but disabling the agent in the meantime is the best way to go

vchepkov · May 6, 2022, 1:31am

I noticed that as well
disabling agent is not persistent, once you run foreman-installer, agent is re-enabled and started again

gvde · May 6, 2022, 5:53am

There is some discussion in Foreman-installer enables puppet.service although puppet integration is not enabled and a link to Bug #34819: Puppet Agent enabled in Katello installations, even if it should not - Installer - Foreman