Problem:
My VMs are being provisioned with Puppet 4.10, however my Katello server is running puppetlabs 6.4, and it has agent 6.6. I am unable to get the VMs to do a successful puppet agent -t run once the VM is completed the build. Possibly because of the version difference.
I am using all the default templates, and all my VMs and Katello server are running Centos 7.6
Expected outcome:
VMs should be provisioned with puppet --version 6.x
Foreman and Proxy versions:
Foreman 1.22 / Katello 3.12
first off, do you get any specific error message? “Unable to do a successfil puppet agent -t” is not a very descriptive error description
Anyways, I would assume it is because of the version difference, like you mentioned. Puppet in general only supports agent version <= master version, but never agent version > master version.
In general, I see two options you have here:
Update your Puppet Master (on your Katello server) to Puppet 6.6
Set up your own mirror of the upstream Puppet repo and make sure that the versions match there
( 3) You could also modify the templates to install puppet agent 6.4, but I would recommend against that for several reasons)
The Provisioning templates still lack an option for Puppet 6, but if you set enable-puppetlabs-puppet5-repo it will use Puppet 5 which should work.
If you have some time, you could try to add a similar parameter for Puppet 6, adjust the handling in the snippets puppetlabs_repo, puppet.conf and puppet_setup and make this upstream.
Hey,
Something I didnt mention was the puppet.conf on the agents is not getting populated with any configuration. Not even the servers details are being entered, so the run simply fails because it doesnt know which is the puppet master. However, when I manually edit the puppet.conf the error is quite lengthy. I think that if I can get the VMs to provision with the correct config then the issue will go away.
I have another katello server 3.09 which is running puppet 4 and I have no issues at all with provisioning agents. I dont understand why I cant have the same luck with Katello 3.12 and Puppet6. Another thing to note, the puppet master on my Katello 3.12 server has puppet server 6.4 and puppet agent 6.6, this is the versions Katello gave me when I did the initial install, the fact that the agent has a greater version that the server doesnt seem to affect it. The agent runs work fine.
I’ve enable Puppet 5 repo and provisioned a new VM. The puppet.conf looks to be correct, and the certificate was already automatically signed by the server.
When I do a puppet agent run, I get the error below:
[root@rena-kildow ~]# puppet --version
5.5.16
[root@rena-kildow ~]# puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet Root CA: 2b2ebabb9e9ae1]
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using ‘eval_generate’: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet Root CA: 2b2ebabb9e9ae1]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet Root CA: 2b2ebabb9e9ae1]
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using ‘eval_generate’: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet Root CA: 2b2ebabb9e9ae1]
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet Root CA: 2b2ebabb9e9ae1]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet Root CA: 2b2ebabb9e9ae1]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet Root CA: 2b2ebabb9e9ae1]
[root@rena-kildow ~]#
While writing that I did discover that the enable-puppetlabs-repo parameter (which has always been there) enables the generic puppet repo. In the past that was the Puppet 3 repository so we’d recommend pc1 or puppet5, but now it appears to be the latest stable version. That means you can use it to install Puppet 6 on clients.
I’ve confirmed the issue is with puppet versions. Puppet agent 4 or 5 simply wont work with the Katello puppetserver being version 6. I did a fresh VM provision without puppet being installed, I then manyally added the repos for version 4, 5 and 6 on 3 separate VMs. They all got the same puppet.conf entry.
The only one with the successful puppet run was puppet agent 6.
Versions 4 and 5 gave the same error as my post above.
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet Root CA:
…
.
…
Now to try add puppetlabs 6 into the templates, if anyone can assist here please let me know as I have little experience with template writing.
