Foreman-proxy complains failed to list puppet environments

Thomas_Cheng · June 23, 2016, 7:15pm

I got the following errors in forman-proxy's proxy.log file, after I turned
on debugging, Any one know what this error means? Thanks.

Logfile created on Wed Jun 22 17:15:26 -0700 2016 by logger.rb/1.2.6

E, [2016-06-22T17:17:38.836692 #58935] ERROR – : Failed to list puppet
environments: Connection refused - connect(2)
E, [2016-06-22T17:17:48.592771 #58935] ERROR – : Failed to list puppet
environments: Connection refused - connect(2)
I, [2016-06-23T00:38:35.964966 #84003] INFO – : 'foreman_proxy' settings
were initialized with default values: :enabled: true
I, [2016-06-23T00:38:35.966024 #84003] INFO – : Finished initialization
of module 'foreman_proxy'
I, [2016-06-23T00:38:35.966129 #84003] INFO – : 'puppet' settings were
initialized with default values: :puppet_provider: puppetrun,
:salt_puppetrun_cmd: puppet.run, :use_cache: true
I, [2016-06-23T00:38:36.114466 #84003] INFO – : Initializing from Puppet
config file: /etc/puppet/puppet.conf
I, [2016-06-23T00:38:36.188814 #84003] INFO – : Finished initialization
of module 'puppet'
I, [2016-06-23T00:38:36.197068 #84003] INFO – : Finished initialization
of module 'bmc'
I, [2016-06-23T00:38:36.205563 #84007] INFO – : WEBrick 1.3.1
I, [2016-06-23T00:38:36.205892 #84007] INFO – : ruby 1.8.7 (2013-06-27)
[x86_64-linux]
D, [2016-06-23T00:38:36.207449 #84007] DEBUG – :
TCPServer.new(10.17.198.11, 8443)
I, [2016-06-23T00:38:36.209890 #84007] INFO – :

Dominic_Cleal2 · June 27, 2016, 7:36am

The smart proxy connects to the Puppet master to retrieve a list of
environments, this suggests that the master isn't running (usually under
Apache).

Also check that :puppet_url is set correctly in
/etc/foreman-proxy/settings.d/puppet.yml, see
Foreman :: Manual. You should
be able to telnet to the same host/port specified in the config.

···

On 23/06/16 20:15, Thomas Cheng wrote: > I got the following errors in forman-proxy's proxy.log file, after I > turned on debugging, Any one know what this error means? Thanks. > > # Logfile created on Wed Jun 22 17:15:26 -0700 2016 by logger.rb/1.2.6 > E, [2016-06-22T17:17:38.836692 #58935] ERROR -- : Failed to list puppet > environments: Connection refused - connect(2) > E, [2016-06-22T17:17:48.592771 #58935] ERROR -- : Failed to list puppet > environments: Connection refused - connect(2)

–
Dominic Cleal
dominic@cleal.org

Thomas_Cheng · June 27, 2016, 8:15am

https://balanced_foreman.example.com/. so here is my question inviting for
recommendations / best practice:

We have a Foreman cluster (more than an all-in-one installation) to handle
thousands of nodes. And so, Foreman (REST API, Reports, ENC, Web),
Foreman-proxy (with proxyed puppet master function), and puppet masters are
load balanced:

load balanced Foreman (ports 80,443): balanced_foreman.example.com
load balanced Foreman-proxy (8443) : balanced_proxy.example.com
load balanced puppet master (8140): balanced_pm.example.com

And loads/requests are distributed equally to 3 different 'worker' nodes:
nodeA, nodeB, nodeC. each nodes runs all three: Foreman (80 & 443),
Foreman-proxy (8443), and puppet master (8140).

Then on each node, say, nodeA, when a service need to talk with another,
should it use load-balanced form, or better it should directly use the
service runs on the same node?

i.e, when nodeA' foreman-proxy needs to get a list of puppet environments,
should the value ':puppet_url' better to be set as:
https://nodeA.example.com:8140, or https://balanced_pm.example.com?

The first one ( https://nodeA.example.com:8140) may seems more efficient
(it doesn't need to go to load director, and potentially distributed back
to the same machine requests come from), also the debugging is easier,
don't need to check logs on three servers should error pops up;

while the second solution mean more resilient, with the price of complexity.

What's your suggestions and how's the popular choices here? Many thanks.

···

On Monday, June 27, 2016 at 12:36:29 AM UTC-7, Dominic Cleal wrote: > > On 23/06/16 20:15, Thomas Cheng wrote: > > I got the following errors in forman-proxy's proxy.log file, after I > > turned on debugging, Any one know what this error means? Thanks. > > > > # Logfile created on Wed Jun 22 17:15:26 -0700 2016 by logger.rb/1.2.6 > > E, [2016-06-22T17:17:38.836692 #58935] ERROR -- : Failed to list puppet > > environments: Connection refused - connect(2) > > E, [2016-06-22T17:17:48.592771 #58935] ERROR -- : Failed to list puppet > > environments: Connection refused - connect(2) > > The smart proxy connects to the Puppet master to retrieve a list of > environments, this suggests that the master isn't running (usually under > Apache). > > Also check that :puppet_url is set correctly in > /etc/foreman-proxy/settings.d/puppet.yml, see > https://theforeman.org/manuals/1.11/index.html#4.3.6Puppet. You should > be able to telnet to the same host/port specified in the config. > > I see. I checked the setup, and it points to a Load-balanced URL: -- > Dominic Cleal > dom...@cleal.org >

Dominic_Cleal2 · June 27, 2016, 9:48am

I don't recommend anything in particular, I doubt it matters much.
Either should work provided the SSL certificates in use match the
hostname you're connecting to (i.e. if connecting to the node directly,
the sAN list must contain the node hostname).

···

On 27/06/16 09:15, Thomas Cheng wrote: > > > On Monday, June 27, 2016 at 12:36:29 AM UTC-7, Dominic Cleal wrote: > > On 23/06/16 20:15, Thomas Cheng wrote: > > I got the following errors in forman-proxy's proxy.log file, after I > > turned on debugging, Any one know what this error means? Thanks. > > > > # Logfile created on Wed Jun 22 17:15:26 -0700 2016 by > logger.rb/1.2.6 > > E, [2016-06-22T17:17:38.836692 #58935] ERROR -- : Failed to list > puppet > > environments: Connection refused - connect(2) > > E, [2016-06-22T17:17:48.592771 #58935] ERROR -- : Failed to list > puppet > > environments: Connection refused - connect(2) > > The smart proxy connects to the Puppet master to retrieve a list of > environments, this suggests that the master isn't running (usually > under > Apache). > > Also check that :puppet_url is set correctly in > /etc/foreman-proxy/settings.d/puppet.yml, see > https://theforeman.org/manuals/1.11/index.html#4.3.6Puppet > . You > should > be able to telnet to the same host/port specified in the config. > > I see. I checked the setup, and it points to a Load-balanced URL: > https://balanced_foreman.example.com/. so here is my question inviting > for recommendations / best practice: > > We have a Foreman cluster (more than an all-in-one installation) to > handle thousands of nodes. And so, Foreman (REST API, Reports, ENC, > Web), Foreman-proxy (with proxyed puppet master function), and puppet > masters are load balanced: > > load balanced Foreman (ports 80,443): balanced_foreman.example.com > load balanced Foreman-proxy (8443) : balanced_proxy.example.com > load balanced puppet master (8140): balanced_pm.example.com > > And loads/requests are distributed equally to 3 different 'worker' > nodes: nodeA, nodeB, nodeC. each nodes runs all three: Foreman (80 & > 443), Foreman-proxy (8443), and puppet master (8140). > > Then on each node, say, nodeA, when a service need to talk with another, > should it use load-balanced form, or better it should directly use the > service runs on the same node? > > i.e, when nodeA' foreman-proxy needs to get a list of puppet > environments, should the value ':puppet_url' better to be set as: > https://nodeA.example.com:8140, or https://balanced_pm.example.com? > > The first one ( https://nodeA.example.com:8140) may seems more efficient > (it doesn't need to go to load director, and potentially distributed > back to the same machine requests come from), also the debugging is > easier, don't need to check logs on three servers should error pops up; > > while the second solution mean more resilient, with the price of complexity. > > What's your suggestions and how's the popular choices here? Many thanks.

–
Dominic Cleal
dominic@cleal.org

Thomas_Cheng · June 27, 2016, 5:51pm

>
> >
> >
> >
> > > I got the following errors in forman-proxy's proxy.log file, after
> I
> > > turned on debugging, Any one know what this error means? Thanks.
> > >
> > > # Logfile created on Wed Jun 22 17:15:26 -0700 2016 by
> > logger.rb/1.2.6
> > > E, [2016-06-22T17:17:38.836692 #58935] ERROR – : Failed to list
> > puppet
> > > environments: Connection refused - connect(2)
> > > E, [2016-06-22T17:17:48.592771 #58935] ERROR – : Failed to list
> > puppet
> > > environments: Connection refused - connect(2)
> >
> > The smart proxy connects to the Puppet master to retrieve a list of
> > environments, this suggests that the master isn't running (usually
> > under
> > Apache).
> >
> > Also check that :puppet_url is set correctly in
> > /etc/foreman-proxy/settings.d/puppet.yml, see
> > Foreman :: Manual
> > <Foreman :: Manual>. You
> > should
> > be able to telnet to the same host/port specified in the config.
> >
> > I see. I checked the setup, and it points to a Load-balanced URL:
> > https://balanced_foreman.example.com/. so here is my question inviting
> > for recommendations / best practice:
> >
> > We have a Foreman cluster (more than an all-in-one installation) to
> > handle thousands of nodes. And so, Foreman (REST API, Reports, ENC,
> > Web), Foreman-proxy (with proxyed puppet master function), and puppet
> > masters are load balanced:
> >
> > load balanced Foreman (ports 80,443): balanced_foreman.example.com
> > load balanced Foreman-proxy (8443) : balanced_proxy.example.com
> > load balanced puppet master (8140): balanced_pm.example.com
> >
> > And loads/requests are distributed equally to 3 different 'worker'
> > nodes: nodeA, nodeB, nodeC. each nodes runs all three: Foreman (80 &
> > 443), Foreman-proxy (8443), and puppet master (8140).
> >
> > Then on each node, say, nodeA, when a service need to talk with another,
> > should it use load-balanced form, or better it should directly use the
> > service runs on the same node?
> >
> > i.e, when nodeA' foreman-proxy needs to get a list of puppet
> > environments, should the value ':puppet_url' better to be set as:
> > https://nodeA.example.com:8140, or https://balanced_pm.example.com?
> >
> > The first one ( https://nodeA.example.com:8140) may seems more
> efficient
> > (it doesn't need to go to load director, and potentially distributed
> > back to the same machine requests come from), also the debugging is
> > easier, don't need to check logs on three servers should error pops up;
> >
> > while the second solution mean more resilient, with the price of
> complexity.
> >
> > What's your suggestions and how's the popular choices here? Many
> thanks.
>
> I don't recommend anything in particular, I doubt it matters much.
> Either should work provided the SSL certificates in use match the
> hostname you're connecting to (i.e. if connecting to the node directly,
> the sAN list must contain the node hostname).
>
>
Sure. Thanks for your input.

···

On Monday, June 27, 2016 at 2:48:33 AM UTC-7, Dominic Cleal wrote: > On 27/06/16 09:15, Thomas Cheng wrote: > > On Monday, June 27, 2016 at 12:36:29 AM UTC-7, Dominic Cleal wrote: > > On 23/06/16 20:15, Thomas Cheng wrote:

–
Dominic Cleal
dom...@cleal.org <javascript:>