Hello,
Which log files would contain some more details about failures of puppetrun?
all I see in production log is:
Processing HostsController#puppetrun (for 10.206.0.62 at 2010-06-23
17:55:28) [GET]
Parameters: {"action"=>"puppetrun", "id"=>"1", "controller"=>"hosts"}
Completed in 57ms (View: 1, DB: 2) | 200 OK [https://foreman/hosts/1/puppetrun]
Mohamed.
I usually just run puppetrun manually to get its full output. Change to the
user that your foreman app runs as, and run the command
sudo /usr/sbin/puppetrun --host <hostname>
···
On 6/23/2010 6:01 PM, Mohamed Lrhazi wrote:
> Hello,
>
> Which log files would contain some more details about failures of puppetrun?
–
Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken
GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
Thanks Frank…
This was working fine before… not sure what I messed up…
as root, the puppetrun command works fine.
as the user:
> sudo -Hu foreman puppetrun --host helium.dom.ain
Triggering helium.dom.ain
warning: peer certificate won't be verified in this SSL session
Host helium.dom.ain failed: HTTP-Error: 500 Internal Server Error
helium.dom.ain finished with exit code 2
Failed: helium.dom.ain
as root I works and says:
… finished with exit code 0
Finished
Thanks a lot.
Mohamed.
···
On Wed, Jun 23, 2010 at 6:12 PM, Frank Sweetser wrote:
> On 6/23/2010 6:01 PM, Mohamed Lrhazi wrote:
>>
>> Hello,
>>
>> Which log files would contain some more details about failures of
>> puppetrun?
>
> I usually just run puppetrun manually to get its full output. Change to the
> user that your foreman app runs as, and run the command
>
> sudo /usr/sbin/puppetrun --host
>
> --
> Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
> WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken
> GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
>
> --
> You received this message because you are subscribed to the Google Groups
> "Foreman users" group.
> To post to this group, send email to foreman-users@googlegroups.com.
> To unsubscribe from this group, send email to
> foreman-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/foreman-users?hl=en.
>
>
–
" Logic merely sanctions the conquests of the intuition."
Jacques Hadamard
Close, but not quite. This command runs, as the foreman user
puppetrun --host helium.dom.ain
which will probably fail because the foreman user doesn't have access to the
puppet certs. The foreman user needs to be able to run the puppet command
with elevated privs. What you need to run, as the foreman user, is the command
sudo puppetrun --host helium.dom.ain
So as root, run the command
su - foreman
and then run the 'sudo puppetrun' command.
···
On 6/23/2010 6:21 PM, Mohamed Lrhazi wrote:
> Thanks Frank...
> This was working fine before... not sure what I messed up...
> as root, the puppetrun command works fine.
>
> as the user:
>
>> sudo -Hu foreman puppetrun --host helium.dom.ain
–
Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken
GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
Hmm… run that way, it just works!
-bash-3.2$ id
uid=102(foreman) gid=103(foreman) groups=52(puppet),103(foreman)
context=user_u:system_r:unconfined_t
-bash-3.2$ sudo /usr/sbin/puppetrun --host helium.dom.ain
Triggering helium.dom.ain
helium.dom.ain finished with exit code 0
Finished
-bash-3.2$
BTW, foreman is running under Apache/Passenger, with sudoexec
configured to run it as foreman user.
Mohamed.
···
On Wed, Jun 23, 2010 at 6:26 PM, Frank Sweetser wrote:
> On 6/23/2010 6:21 PM, Mohamed Lrhazi wrote:
>>
>> Thanks Frank...
>> This was working fine before... not sure what I messed up...
>> as root, the puppetrun command works fine.
>>
>> as the user:
>>
>>> sudo -Hu foreman puppetrun --host helium.dom.ain
>
> Close, but not quite. This command runs, as the foreman user
>
> puppetrun --host helium.dom.ain
>
> which will probably fail because the foreman user doesn't have access to the
> puppet certs. The foreman user needs to be able to run the puppet command
> with elevated privs. What you need to run, as the foreman user, is the
> command
>
> sudo puppetrun --host helium.dom.ain
>
> So as root, run the command
>
> su - foreman
>
> and then run the 'sudo puppetrun' command.
>
> --
> Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
> WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken
> GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
>
> --
> You received this message because you are subscribed to the Google Groups
> "Foreman users" group.
> To post to this group, send email to foreman-users@googlegroups.com.
> To unsubscribe from this group, send email to
> foreman-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/foreman-users?hl=en.
>
>
–
" Logic merely sanctions the conquests of the intuition."
Jacques Hadamard
Hm… I can't help but suspect an selinux denial at this point - this shows
your command line test running as unconfined_t, while apache/passenger almost
certainly wouldn't be.
You can test this by temporarily disabling selinux with the command
setenforce 0
Don't forget to re-enable it afterwards:
setenforce 1
···
On 6/23/2010 6:34 PM, Mohamed Lrhazi wrote:
> Hmm.. run that way, it just works!
>
> -bash-3.2$ id
> uid=102(foreman) gid=103(foreman) groups=52(puppet),103(foreman)
> context=user_u:system_r:unconfined_t
–
Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken
GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
selinux did it to many so many times… unfortunately, it does not
seem to be the culprit here…
I disabled it, and even restarted apache… still no go!
Mohamed.
···
On Wed, Jun 23, 2010 at 6:40 PM, Frank Sweetser wrote:
> On 6/23/2010 6:34 PM, Mohamed Lrhazi wrote:
>>
>> Hmm.. run that way, it just works!
>>
>> -bash-3.2$ id
>> uid=102(foreman) gid=103(foreman) groups=52(puppet),103(foreman)
>> context=user_u:system_r:unconfined_t
>
> Hm... I can't help but suspect an selinux denial at this point - this shows
> your command line test running as unconfined_t, while apache/passenger
> almost certainly wouldn't be.
>
> You can test this by temporarily disabling selinux with the command
>
> setenforce 0
>
> Don't forget to re-enable it afterwards:
>
> setenforce 1
>
> --
> Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
> WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken
> GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
>
> --
> You received this message because you are subscribed to the Google Groups
> "Foreman users" group.
> To post to this group, send email to foreman-users@googlegroups.com.
> To unsubscribe from this group, send email to
> foreman-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/foreman-users?hl=en.
>
>
–
" Logic merely sanctions the conquests of the intuition."
Jacques Hadamard
Oh… I found this error in the apache error log file:
sudo: sorry, you must have a tty to run sudo
googling… and ended up figuring out the solution… editing
/etc/sudeors to add:
Defaults:foreman !requiretty
foreman ALL=NOPASSWD: /usr/sbin/puppetrun
I did deploy a new sudoers to these systems today… I just don't
remember having fix it for foreman before…
does the RPM do that?
anyways… are there other commands I would need to add there for foreman?
Thanks a lot.
Mohamed.
Mohamed.
···
On Wed, Jun 23, 2010 at 6:47 PM, Mohamed Lrhazi wrote:
> selinux did it to many so many times... unfortunately, it does not
> seem to be the culprit here...
> I disabled it, and even restarted apache.. still no go!
>
> Mohamed.
>
> On Wed, Jun 23, 2010 at 6:40 PM, Frank Sweetser wrote:
>> On 6/23/2010 6:34 PM, Mohamed Lrhazi wrote:
>>>
>>> Hmm.. run that way, it just works!
>>>
>>> -bash-3.2$ id
>>> uid=102(foreman) gid=103(foreman) groups=52(puppet),103(foreman)
>>> context=user_u:system_r:unconfined_t
>>
>> Hm... I can't help but suspect an selinux denial at this point - this shows
>> your command line test running as unconfined_t, while apache/passenger
>> almost certainly wouldn't be.
>>
>> You can test this by temporarily disabling selinux with the command
>>
>> setenforce 0
>>
>> Don't forget to re-enable it afterwards:
>>
>> setenforce 1
>>
>> --
>> Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
>> WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken
>> GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Foreman users" group.
>> To post to this group, send email to foreman-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>> foreman-users+unsubscribe@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/foreman-users?hl=en.
>>
>>
>
>
>
> --
> " Logic merely sanctions the conquests of the intuition."
> Jacques Hadamard
>
–
" Logic merely sanctions the conquests of the intuition."
Jacques Hadamard
I think the only other entry you need is for puppetca. Here's the relevant
section of my sudoers:
Defaults:foreman !requiretty
foreman ALL = NOPASSWD: /usr/sbin/puppetca
foreman ALL = NOPASSWD: /usr/sbin/puppetrun
···
On 6/23/2010 7:08 PM, Mohamed Lrhazi wrote:
> Oh.. I found this error in the apache error log file:
>
> sudo: sorry, you must have a tty to run sudo
>
> googling... and ended up figuring out the solution.. editing
> /etc/sudeors to add:
>
> Defaults:foreman !requiretty
> foreman ALL=NOPASSWD: /usr/sbin/puppetrun
>
> I did deploy a new sudoers to these systems today... I just don't
> remember having fix it for foreman before...
> does the RPM do that?
>
> anyways.. are there other commands I would need to add there for foreman?
–
Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken
GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
Hi,
I'm trying to keep the puppet module up2date with all of these little things
(GitHub - ohadlevy/puppet-foreman: UNOFFICIAL CLONE use https://github.com/theforeman/foreman-installer).
note that the instructions to setup the sudo entry contains the tty -
http://theforeman.org/projects/foreman/wiki/Puppetrun
Ohad
···
On Thu, Jun 24, 2010 at 7:08 AM, Mohamed Lrhazi wrote:
Oh… I found this error in the apache error log file:
sudo: sorry, you must have a tty to run sudo
googling… and ended up figuring out the solution… editing
/etc/sudeors to add:
Defaults:foreman !requiretty
foreman ALL=NOPASSWD: /usr/sbin/puppetrun
I did deploy a new sudoers to these systems today… I just don’t
remember having fix it for foreman before…
does the RPM do that?
anyways… are there other commands I would need to add there for foreman?
Thanks a lot.
Mohamed.
Mohamed.
On Wed, Jun 23, 2010 at 6:47 PM, Mohamed Lrhazi lrhazi@gmail.com wrote:
selinux did it to many so many times… unfortunately, it does not
seem to be the culprit here…
I disabled it, and even restarted apache… still no go!
Mohamed.
On Wed, Jun 23, 2010 at 6:40 PM, Frank Sweetser fs@wpi.edu wrote:
On 6/23/2010 6:34 PM, Mohamed Lrhazi wrote:
Hmm… run that way, it just works!
-bash-3.2$ id
uid=102(foreman) gid=103(foreman) groups=52(puppet),103(foreman)
context=user_u:system_r:unconfined_t
Hm… I can’t help but suspect an selinux denial at this point - this
shows
your command line test running as unconfined_t, while apache/passenger
almost certainly wouldn’t be.
You can test this by temporarily disabling selinux with the command
setenforce 0
Don’t forget to re-enable it afterwards:
setenforce 1
–
Frank Sweetser fs at wpi.edu | For every problem, there is a solution
that
WPI Senior Network Engineer | is simple, elegant, and wrong. - HL
Mencken
GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
–
You received this message because you are subscribed to the Google
Groups
“Foreman users” group.
To post to this group, send email to foreman-users@googlegroups.com.
To unsubscribe from this group, send email to
foreman-users+unsubscribe@googlegroups.comforeman-users%2Bunsubscribe@googlegroups.com
.
For more options, visit this group at
http://groups.google.com/group/foreman-users?hl=en.
–
" Logic merely sanctions the conquests of the intuition."
Jacques Hadamard
–
" Logic merely sanctions the conquests of the intuition."
Jacques Hadamard
–
You received this message because you are subscribed to the Google Groups
“Foreman users” group.
To post to this group, send email to foreman-users@googlegroups.com.
To unsubscribe from this group, send email to
foreman-users+unsubscribe@googlegroups.comforeman-users%2Bunsubscribe@googlegroups.com
.
For more options, visit this group at
http://groups.google.com/group/foreman-users?hl=en.
Thanks a lot Frank…
I had also deployed a change tru puppet, that set incorrect mode on
/etc/private and /etc/pki, which caused all kind of issues…
Mohamed.
···
On Wed, Jun 23, 2010 at 9:08 PM, Frank Sweetser wrote:
> On 6/23/2010 7:08 PM, Mohamed Lrhazi wrote:
>>
>> Oh.. I found this error in the apache error log file:
>>
>> sudo: sorry, you must have a tty to run sudo
>>
>> googling... and ended up figuring out the solution.. editing
>> /etc/sudeors to add:
>>
>> Defaults:foreman !requiretty
>> foreman ALL=NOPASSWD: /usr/sbin/puppetrun
>>
>> I did deploy a new sudoers to these systems today... I just don't
>> remember having fix it for foreman before...
>> does the RPM do that?
>>
>> anyways.. are there other commands I would need to add there for foreman?
>
> I think the only other entry you need is for puppetca. Here's the relevant
> section of my sudoers:
>
> Defaults:foreman !requiretty
> foreman ALL = NOPASSWD: /usr/sbin/puppetca
> foreman ALL = NOPASSWD: /usr/sbin/puppetrun
>
> --
> Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
> WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken
> GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
>
> --
> You received this message because you are subscribed to the Google Groups
> "Foreman users" group.
> To post to this group, send email to foreman-users@googlegroups.com.
> To unsubscribe from this group, send email to
> foreman-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/foreman-users?hl=en.
>
>
–
" Logic merely sanctions the conquests of the intuition."
Jacques Hadamard
I did not use the module install method, but I will give it a try in the future.
Thanks a lot Ohad, foreman really rocks, am gonna try the unattended
provisioning next…
Mohamed.
···
On Wed, Jun 23, 2010 at 10:12 PM, Ohad Levy wrote:
> Hi,
>
> I'm trying to keep the puppet module up2date with all of these little things
> (http://github.com/ohadlevy/puppet-foreman).
>
> note that the instructions to setup the sudo entry contains the tty -
> http://theforeman.org/projects/foreman/wiki/Puppetrun
>
> Ohad
>
> On Thu, Jun 24, 2010 at 7:08 AM, Mohamed Lrhazi wrote:
>>
>> Oh.. I found this error in the apache error log file:
>>
>> sudo: sorry, you must have a tty to run sudo
>>
>> googling... and ended up figuring out the solution.. editing
>> /etc/sudeors to add:
>>
>> Defaults:foreman !requiretty
>> foreman ALL=NOPASSWD: /usr/sbin/puppetrun
>>
>> I did deploy a new sudoers to these systems today... I just don't
>> remember having fix it for foreman before...
>> does the RPM do that?
>>
>> anyways.. are there other commands I would need to add there for foreman?
>>
>> Thanks a lot.
>> Mohamed.
>>
>> Mohamed.
>>
>>
>> On Wed, Jun 23, 2010 at 6:47 PM, Mohamed Lrhazi wrote:
>> > selinux did it to many so many times... unfortunately, it does not
>> > seem to be the culprit here...
>> > I disabled it, and even restarted apache.. still no go!
>> >
>> > Mohamed.
>> >
>> > On Wed, Jun 23, 2010 at 6:40 PM, Frank Sweetser wrote:
>> >> On 6/23/2010 6:34 PM, Mohamed Lrhazi wrote:
>> >>>
>> >>> Hmm.. run that way, it just works!
>> >>>
>> >>> -bash-3.2$ id
>> >>> uid=102(foreman) gid=103(foreman) groups=52(puppet),103(foreman)
>> >>> context=user_u:system_r:unconfined_t
>> >>
>> >> Hm... I can't help but suspect an selinux denial at this point - this
>> >> shows
>> >> your command line test running as unconfined_t, while apache/passenger
>> >> almost certainly wouldn't be.
>> >>
>> >> You can test this by temporarily disabling selinux with the command
>> >>
>> >> setenforce 0
>> >>
>> >> Don't forget to re-enable it afterwards:
>> >>
>> >> setenforce 1
>> >>
>> >> --
>> >> Frank Sweetser fs at wpi.edu | For every problem, there is a solution
>> >> that
>> >> WPI Senior Network Engineer | is simple, elegant, and wrong. - HL
>> >> Mencken
>> >> GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC
>> >>
>> >> --
>> >> You received this message because you are subscribed to the Google
>> >> Groups
>> >> "Foreman users" group.
>> >> To post to this group, send email to foreman-users@googlegroups.com.
>> >> To unsubscribe from this group, send email to
>> >> foreman-users+unsubscribe@googlegroups.com.
>> >> For more options, visit this group at
>> >> http://groups.google.com/group/foreman-users?hl=en.
>> >>
>> >>
>> >
>> >
>> >
>> > --
>> > " Logic merely sanctions the conquests of the intuition."
>> > Jacques Hadamard
>> >
>>
>>
>>
>> --
>> " Logic merely sanctions the conquests of the intuition."
>> Jacques Hadamard
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Foreman users" group.
>> To post to this group, send email to foreman-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>> foreman-users+unsubscribe@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/foreman-users?hl=en.
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Foreman users" group.
> To post to this group, send email to foreman-users@googlegroups.com.
> To unsubscribe from this group, send email to
> foreman-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/foreman-users?hl=en.
>
–
" Logic merely sanctions the conquests of the intuition."
Jacques Hadamard