Puppetrun Failed, check log files

Hello,

Which log files would contain some more details about failures of puppetrun?

all I see in production log is:

Processing HostsController#puppetrun (for 10.206.0.62 at 2010-06-23
17:55:28) [GET]
Parameters: {"action"=>"puppetrun", "id"=>"1", "controller"=>"hosts"}

Completed in 57ms (View: 1, DB: 2) | 200 OK [https://foreman/hosts/1/puppetrun]

Mohamed.

I usually just run puppetrun manually to get its full output. Change to the
user that your foreman app runs as, and run the command

sudo /usr/sbin/puppetrun --host <hostname>

··· On 6/23/2010 6:01 PM, Mohamed Lrhazi wrote: > Hello, > > Which log files would contain some more details about failures of puppetrun?


Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken
GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC

Thanks Frank…
This was working fine before… not sure what I messed up…
as root, the puppetrun command works fine.

as the user:

> sudo -Hu foreman puppetrun --host helium.dom.ain
Triggering helium.dom.ain
warning: peer certificate won't be verified in this SSL session
Host helium.dom.ain failed: HTTP-Error: 500 Internal Server Error
helium.dom.ain finished with exit code 2
Failed: helium.dom.ain

as root I works and says:
… finished with exit code 0
Finished

Thanks a lot.
Mohamed.

··· On Wed, Jun 23, 2010 at 6:12 PM, Frank Sweetser wrote: > On 6/23/2010 6:01 PM, Mohamed Lrhazi wrote: >> >> Hello, >> >> Which log files would contain some more details about failures of >> puppetrun? > > I usually just run puppetrun manually to get its full output. Change to the > user that your foreman app runs as, and run the command > > sudo /usr/sbin/puppetrun --host > > -- > Frank Sweetser fs at wpi.edu | For every problem, there is a solution that > WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken > GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC > > -- > You received this message because you are subscribed to the Google Groups > "Foreman users" group. > To post to this group, send email to foreman-users@googlegroups.com. > To unsubscribe from this group, send email to > foreman-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/foreman-users?hl=en. > >


" Logic merely sanctions the conquests of the intuition."
Jacques Hadamard

Close, but not quite. This command runs, as the foreman user

puppetrun --host helium.dom.ain

which will probably fail because the foreman user doesn't have access to the
puppet certs. The foreman user needs to be able to run the puppet command
with elevated privs. What you need to run, as the foreman user, is the command

sudo puppetrun --host helium.dom.ain

So as root, run the command

su - foreman

and then run the 'sudo puppetrun' command.

··· On 6/23/2010 6:21 PM, Mohamed Lrhazi wrote: > Thanks Frank... > This was working fine before... not sure what I messed up... > as root, the puppetrun command works fine. > > as the user: > >> sudo -Hu foreman puppetrun --host helium.dom.ain


Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken
GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC

Hmm… run that way, it just works!

-bash-3.2$ id
uid=102(foreman) gid=103(foreman) groups=52(puppet),103(foreman)
context=user_u:system_r:unconfined_t
-bash-3.2$ sudo /usr/sbin/puppetrun --host helium.dom.ain
Triggering helium.dom.ain
helium.dom.ain finished with exit code 0
Finished
-bash-3.2$

BTW, foreman is running under Apache/Passenger, with sudoexec
configured to run it as foreman user.

Mohamed.

··· On Wed, Jun 23, 2010 at 6:26 PM, Frank Sweetser wrote: > On 6/23/2010 6:21 PM, Mohamed Lrhazi wrote: >> >> Thanks Frank... >> This was working fine before... not sure what I messed up... >> as root, the puppetrun command works fine. >> >> as the user: >> >>> sudo -Hu foreman puppetrun --host helium.dom.ain > > Close, but not quite. This command runs, as the foreman user > > puppetrun --host helium.dom.ain > > which will probably fail because the foreman user doesn't have access to the > puppet certs. The foreman user needs to be able to run the puppet command > with elevated privs. What you need to run, as the foreman user, is the > command > > sudo puppetrun --host helium.dom.ain > > So as root, run the command > > su - foreman > > and then run the 'sudo puppetrun' command. > > -- > Frank Sweetser fs at wpi.edu | For every problem, there is a solution that > WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken > GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC > > -- > You received this message because you are subscribed to the Google Groups > "Foreman users" group. > To post to this group, send email to foreman-users@googlegroups.com. > To unsubscribe from this group, send email to > foreman-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/foreman-users?hl=en. > >


" Logic merely sanctions the conquests of the intuition."
Jacques Hadamard

Hm… I can't help but suspect an selinux denial at this point - this shows
your command line test running as unconfined_t, while apache/passenger almost
certainly wouldn't be.

You can test this by temporarily disabling selinux with the command

setenforce 0

Don't forget to re-enable it afterwards:

setenforce 1

··· On 6/23/2010 6:34 PM, Mohamed Lrhazi wrote: > Hmm.. run that way, it just works! > > -bash-3.2$ id > uid=102(foreman) gid=103(foreman) groups=52(puppet),103(foreman) > context=user_u:system_r:unconfined_t


Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken
GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC

selinux did it to many so many times… unfortunately, it does not
seem to be the culprit here…
I disabled it, and even restarted apache… still no go!

Mohamed.

··· On Wed, Jun 23, 2010 at 6:40 PM, Frank Sweetser wrote: > On 6/23/2010 6:34 PM, Mohamed Lrhazi wrote: >> >> Hmm.. run that way, it just works! >> >> -bash-3.2$ id >> uid=102(foreman) gid=103(foreman) groups=52(puppet),103(foreman) >> context=user_u:system_r:unconfined_t > > Hm... I can't help but suspect an selinux denial at this point - this shows > your command line test running as unconfined_t, while apache/passenger > almost certainly wouldn't be. > > You can test this by temporarily disabling selinux with the command > > setenforce 0 > > Don't forget to re-enable it afterwards: > > setenforce 1 > > -- > Frank Sweetser fs at wpi.edu | For every problem, there is a solution that > WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken > GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC > > -- > You received this message because you are subscribed to the Google Groups > "Foreman users" group. > To post to this group, send email to foreman-users@googlegroups.com. > To unsubscribe from this group, send email to > foreman-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/foreman-users?hl=en. > >


" Logic merely sanctions the conquests of the intuition."
Jacques Hadamard

Oh… I found this error in the apache error log file:

sudo: sorry, you must have a tty to run sudo

googling… and ended up figuring out the solution… editing
/etc/sudeors to add:

Defaults:foreman !requiretty
foreman ALL=NOPASSWD: /usr/sbin/puppetrun

I did deploy a new sudoers to these systems today… I just don't
remember having fix it for foreman before…
does the RPM do that?

anyways… are there other commands I would need to add there for foreman?

Thanks a lot.
Mohamed.

Mohamed.

··· On Wed, Jun 23, 2010 at 6:47 PM, Mohamed Lrhazi wrote: > selinux did it to many so many times... unfortunately, it does not > seem to be the culprit here... > I disabled it, and even restarted apache.. still no go! > > Mohamed. > > On Wed, Jun 23, 2010 at 6:40 PM, Frank Sweetser wrote: >> On 6/23/2010 6:34 PM, Mohamed Lrhazi wrote: >>> >>> Hmm.. run that way, it just works! >>> >>> -bash-3.2$ id >>> uid=102(foreman) gid=103(foreman) groups=52(puppet),103(foreman) >>> context=user_u:system_r:unconfined_t >> >> Hm... I can't help but suspect an selinux denial at this point - this shows >> your command line test running as unconfined_t, while apache/passenger >> almost certainly wouldn't be. >> >> You can test this by temporarily disabling selinux with the command >> >> setenforce 0 >> >> Don't forget to re-enable it afterwards: >> >> setenforce 1 >> >> -- >> Frank Sweetser fs at wpi.edu | For every problem, there is a solution that >> WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken >> GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Foreman users" group. >> To post to this group, send email to foreman-users@googlegroups.com. >> To unsubscribe from this group, send email to >> foreman-users+unsubscribe@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/foreman-users?hl=en. >> >> > > > > -- > " Logic merely sanctions the conquests of the intuition." > Jacques Hadamard >


" Logic merely sanctions the conquests of the intuition."
Jacques Hadamard

I think the only other entry you need is for puppetca. Here's the relevant
section of my sudoers:

Defaults:foreman !requiretty
foreman ALL = NOPASSWD: /usr/sbin/puppetca
foreman ALL = NOPASSWD: /usr/sbin/puppetrun

··· On 6/23/2010 7:08 PM, Mohamed Lrhazi wrote: > Oh.. I found this error in the apache error log file: > > sudo: sorry, you must have a tty to run sudo > > googling... and ended up figuring out the solution.. editing > /etc/sudeors to add: > > Defaults:foreman !requiretty > foreman ALL=NOPASSWD: /usr/sbin/puppetrun > > I did deploy a new sudoers to these systems today... I just don't > remember having fix it for foreman before... > does the RPM do that? > > anyways.. are there other commands I would need to add there for foreman?


Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken
GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC

Hi,

I'm trying to keep the puppet module up2date with all of these little things
(http://github.com/ohadlevy/puppet-foreman).

note that the instructions to setup the sudo entry contains the tty -
http://theforeman.org/projects/foreman/wiki/Puppetrun

Ohad

··· On Thu, Jun 24, 2010 at 7:08 AM, Mohamed Lrhazi wrote:

Oh… I found this error in the apache error log file:

sudo: sorry, you must have a tty to run sudo

googling… and ended up figuring out the solution… editing
/etc/sudeors to add:

Defaults:foreman !requiretty
foreman ALL=NOPASSWD: /usr/sbin/puppetrun

I did deploy a new sudoers to these systems today… I just don’t
remember having fix it for foreman before…
does the RPM do that?

anyways… are there other commands I would need to add there for foreman?

Thanks a lot.
Mohamed.

Mohamed.

On Wed, Jun 23, 2010 at 6:47 PM, Mohamed Lrhazi lrhazi@gmail.com wrote:

selinux did it to many so many times… unfortunately, it does not
seem to be the culprit here…
I disabled it, and even restarted apache… still no go!

Mohamed.

On Wed, Jun 23, 2010 at 6:40 PM, Frank Sweetser fs@wpi.edu wrote:

On 6/23/2010 6:34 PM, Mohamed Lrhazi wrote:

Hmm… run that way, it just works!

-bash-3.2$ id
uid=102(foreman) gid=103(foreman) groups=52(puppet),103(foreman)
context=user_u:system_r:unconfined_t

Hm… I can’t help but suspect an selinux denial at this point - this
shows

your command line test running as unconfined_t, while apache/passenger
almost certainly wouldn’t be.

You can test this by temporarily disabling selinux with the command

setenforce 0

Don’t forget to re-enable it afterwards:

setenforce 1


Frank Sweetser fs at wpi.edu | For every problem, there is a solution
that

WPI Senior Network Engineer | is simple, elegant, and wrong. - HL
Mencken

GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC


You received this message because you are subscribed to the Google
Groups

“Foreman users” group.
To post to this group, send email to foreman-users@googlegroups.com.
To unsubscribe from this group, send email to
foreman-users+unsubscribe@googlegroups.comforeman-users%2Bunsubscribe@googlegroups.com
.

For more options, visit this group at
http://groups.google.com/group/foreman-users?hl=en.


" Logic merely sanctions the conquests of the intuition."
Jacques Hadamard


" Logic merely sanctions the conquests of the intuition."
Jacques Hadamard


You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To post to this group, send email to foreman-users@googlegroups.com.
To unsubscribe from this group, send email to
foreman-users+unsubscribe@googlegroups.comforeman-users%2Bunsubscribe@googlegroups.com
.
For more options, visit this group at
http://groups.google.com/group/foreman-users?hl=en.

Thanks a lot Frank…
I had also deployed a change tru puppet, that set incorrect mode on
/etc/private and /etc/pki, which caused all kind of issues…

Mohamed.

··· On Wed, Jun 23, 2010 at 9:08 PM, Frank Sweetser wrote: > On 6/23/2010 7:08 PM, Mohamed Lrhazi wrote: >> >> Oh.. I found this error in the apache error log file: >> >> sudo: sorry, you must have a tty to run sudo >> >> googling... and ended up figuring out the solution.. editing >> /etc/sudeors to add: >> >> Defaults:foreman !requiretty >> foreman ALL=NOPASSWD: /usr/sbin/puppetrun >> >> I did deploy a new sudoers to these systems today... I just don't >> remember having fix it for foreman before... >> does the RPM do that? >> >> anyways.. are there other commands I would need to add there for foreman? > > I think the only other entry you need is for puppetca. Here's the relevant > section of my sudoers: > > Defaults:foreman !requiretty > foreman ALL = NOPASSWD: /usr/sbin/puppetca > foreman ALL = NOPASSWD: /usr/sbin/puppetrun > > -- > Frank Sweetser fs at wpi.edu | For every problem, there is a solution that > WPI Senior Network Engineer | is simple, elegant, and wrong. - HL Mencken > GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC > > -- > You received this message because you are subscribed to the Google Groups > "Foreman users" group. > To post to this group, send email to foreman-users@googlegroups.com. > To unsubscribe from this group, send email to > foreman-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/foreman-users?hl=en. > >


" Logic merely sanctions the conquests of the intuition."
Jacques Hadamard

I did not use the module install method, but I will give it a try in the future.
Thanks a lot Ohad, foreman really rocks, am gonna try the unattended
provisioning next…

Mohamed.

··· On Wed, Jun 23, 2010 at 10:12 PM, Ohad Levy wrote: > Hi, > > I'm trying to keep the puppet module up2date with all of these little things > (http://github.com/ohadlevy/puppet-foreman). > > note that the instructions to setup the sudo entry contains the tty - > http://theforeman.org/projects/foreman/wiki/Puppetrun > > Ohad > > On Thu, Jun 24, 2010 at 7:08 AM, Mohamed Lrhazi wrote: >> >> Oh.. I found this error in the apache error log file: >> >> sudo: sorry, you must have a tty to run sudo >> >> googling... and ended up figuring out the solution.. editing >> /etc/sudeors to add: >> >> Defaults:foreman !requiretty >> foreman ALL=NOPASSWD: /usr/sbin/puppetrun >> >> I did deploy a new sudoers to these systems today... I just don't >> remember having fix it for foreman before... >> does the RPM do that? >> >> anyways.. are there other commands I would need to add there for foreman? >> >> Thanks a lot. >> Mohamed. >> >> Mohamed. >> >> >> On Wed, Jun 23, 2010 at 6:47 PM, Mohamed Lrhazi wrote: >> > selinux did it to many so many times... unfortunately, it does not >> > seem to be the culprit here... >> > I disabled it, and even restarted apache.. still no go! >> > >> > Mohamed. >> > >> > On Wed, Jun 23, 2010 at 6:40 PM, Frank Sweetser wrote: >> >> On 6/23/2010 6:34 PM, Mohamed Lrhazi wrote: >> >>> >> >>> Hmm.. run that way, it just works! >> >>> >> >>> -bash-3.2$ id >> >>> uid=102(foreman) gid=103(foreman) groups=52(puppet),103(foreman) >> >>> context=user_u:system_r:unconfined_t >> >> >> >> Hm... I can't help but suspect an selinux denial at this point - this >> >> shows >> >> your command line test running as unconfined_t, while apache/passenger >> >> almost certainly wouldn't be. >> >> >> >> You can test this by temporarily disabling selinux with the command >> >> >> >> setenforce 0 >> >> >> >> Don't forget to re-enable it afterwards: >> >> >> >> setenforce 1 >> >> >> >> -- >> >> Frank Sweetser fs at wpi.edu | For every problem, there is a solution >> >> that >> >> WPI Senior Network Engineer | is simple, elegant, and wrong. - HL >> >> Mencken >> >> GPG fingerprint = 6174 1257 129E 0D21 D8D4 E8A3 8E39 29E3 E2E8 8CEC >> >> >> >> -- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "Foreman users" group. >> >> To post to this group, send email to foreman-users@googlegroups.com. >> >> To unsubscribe from this group, send email to >> >> foreman-users+unsubscribe@googlegroups.com. >> >> For more options, visit this group at >> >> http://groups.google.com/group/foreman-users?hl=en. >> >> >> >> >> > >> > >> > >> > -- >> > " Logic merely sanctions the conquests of the intuition." >> > Jacques Hadamard >> > >> >> >> >> -- >> " Logic merely sanctions the conquests of the intuition." >> Jacques Hadamard >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Foreman users" group. >> To post to this group, send email to foreman-users@googlegroups.com. >> To unsubscribe from this group, send email to >> foreman-users+unsubscribe@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/foreman-users?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups > "Foreman users" group. > To post to this group, send email to foreman-users@googlegroups.com. > To unsubscribe from this group, send email to > foreman-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/foreman-users?hl=en. >


" Logic merely sanctions the conquests of the intuition."
Jacques Hadamard