puppetlabs / community Goto Github PK

Describe the Bug

Hi,

i have setup 2 new puppetservers 7 with an external puppetdb and an external foreman.

currently we facing the problem that our puppetserver node definitions are only detected in "manifests/site/default.pp"

i have my node defintions all in that file it seems that my clients can take it, but if i use separate files not.

after searching around i found that for the manifests there is the option to set the manifestspath in the file "puppet.conf" on puppetserver or set in in "environment.conf" in the environment itself.

content of "environment.conf":

`# environment.conf
manifest = manifests/site/
modulepath = modules/site:modules/common:modules/extern:$basemodulepath
environment_timeout = 3m
config_version = '/usr/bin/git --git-dir $codedir/environments/$environment/.git rev-parse HEAD'

on the puppetserver itself if i check if r10k is updating the environments i see everytime the correct config files.

We have in our infrastructure also puppetservers with them it works for whatever reason and normally that node-definition detection is from documentation a build in feature.

Could someone help me or has an idea what could cause this problem ?

Expected Behavior

Using not only default.pp, using dedicated node defintion files.

Environment

• Version Puppetserver 7 / Puppet agent 7.26
• Platform CentOS 7

How can a puppet be deployed for complete fault tolerance?
What interests me:

• Duplication of certificate servers
• Duplication of servers with manifests
  Use-case:
  If one of the two servers is unavailable, clients must correctly obtain and sign certificates and manifests.

The documentation says that I can make a cluster, but there can only be one certificate authority. What makes the system not fault-tolerant.

Today i have installed puppetserver8 on ubuntu22.04LTS machine. I have configured puppet.conf file in puppet server as like below[1] and i allowed 8140 in firewall. Next i have installed puppet agent8 in client system and configured like below[2] . Now i tried to sync with puppet master but i am getting following error [3].
[1]
root@ultra:~# cat /etc/puppetlabs/puppet/puppet.conf

[server]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code

dns_alt_names = ultra.bahwan.org

[main]
certname = ultra
server = ultra.bahwan.org
environment = production
runinterval = 30m
root@ultra:~#

[2] Client configuration
root@sync0:# cat /etc/puppetlabs/puppet/puppet.conf
server=ultra.bahwan.org
environment = production
runinterval = 30m
root@sync0:#

[3] Error message :
Error: Connection to https://ultra.bahwan.org:8140/puppet-ca/v1 failed, trying next route: Request to https://ultra.bahwan.org:8140/puppet-ca/v1 failed after 0.641 seconds: SSL_connect returned=1 errno=0 peeraddr=10.177.55.78:8140 state=error: unexpected eof while reading
Wrapped exception:
SSL_connect returned=1 errno=0 peeraddr=10.177.46.78:8140 state=error: unexpected eof while reading
Error: No more routes to ca
Error: No more routes to ca

I changed cat /etc/default/puppetserver congiuration like below
Modify this if you'd like to change the memory allocation, enable JMX, etc

JAVA_ARGS="-Xms4g -Xmx4g -Djruby.logger.class=com.puppetlabs.jruby_utils.jruby.Slf4jLogger"

I have tried but i am not getting solution. Can you please help on this?
Note: I updated both a machine time and allowed 8140 in iptables file.

I'm creating this issue because if PDK validates it, and it still fails, that seems like a bug. IMO anything that validates with PDK should not produce an error message like below.

Discussed in #72

exec { 'Sysmon':
    command => 'c:\installers\sysmon\Sysmon64.exe -accepteula -i c:\installers\sysmon\sysmonconfig-export.xml'
  }

C:\installers\sysmon>puppet agent -t
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Notice: Requesting catalog from puppet:8140
Notice: Catalog compiled by puppet-01-dc1.prod.mydomain.ca
Info: Caching catalog for win-ad01.prod.mydomain.ca
Info: Applying configuration version '1715966702'
Error: undefined method `close!' for nil:NilClass
Error: /Stage[main]/Windows_splunk/Exec[Sysmon]/returns: change from 'notrun' to ['0'] failed: undefined method `close!' for nil:NilClass (corrective)
Notice: Applied catalog in 2.97 seconds

Error: Could not find command 'c:\installers\system\Sysmon64.exe'
Error: /Stage[main]/Windows_splunk/Exec[Sysmon]/returns: change from 'notrun' to ['0'] failed: Could not find command 'c:\installers\system\Sysmon64.exe'

[root@puppet-01-dc1 windows_splunk]# pdk validate
pdk (INFO): Using Ruby 3.2.3
pdk (INFO): Using Puppet 8.6.0
pdk (INFO): Running all available validators...
pdk (INFO): Validator 'puppet-plan-syntax' skipped for '/etc/puppetlabs/code/environments/production/modules/windows_splunk'. No files matching '["plans/**/*.pp"]' found to validate.
pdk (INFO): Validator 'puppet-epp' skipped for '/etc/puppetlabs/code/environments/production/modules/windows_splunk'. No files matching '["**/*.epp"]' found to validate.
pdk (INFO): Validator 'task-name' skipped for '/etc/puppetlabs/code/environments/production/modules/windows_splunk'. No files matching '["tasks/**/*"]' found to validate.
pdk (INFO): Validator 'task-metadata-lint' skipped for '/etc/puppetlabs/code/environments/production/modules/windows_splunk'. No files matching '["tasks/*.json"]' found to validate.
┌ [✔] Running metadata validators ...
├── [✔] Checking metadata syntax (metadata.json tasks/*.json).
└── [✔] Checking module metadata style (metadata.json).
┌ [✔] Running puppet validators ...
├── [✔] Checking Puppet manifest syntax (**/*.pp).
└── [✔] Checking Puppet manifest style (**/*.pp).
┌ [✔] Running ruby validators ...
└── [✔] Checking Ruby code style (**/**.rb).
┌ [✔] Running tasks validators ...
├── [✔] Checking task names (tasks/**/*).
└── [✔] Checking task metadata style (tasks/*.json).
┌ [✔] Running yaml validators ...
└── [✔] Checking YAML syntax (**/*.yaml **/*.yml).
pdk (WARNING): puppet-lint: class not documented (manifests/init.pp:1:1)
pdk (WARNING): puppet-lint: missing trailing comma after last element (manifests/init.pp:21:141)

C:\installers\sysmon>c:\installers\sysmon\Sysmon64.exe -accepteula -i c:\installers\sysmon\sysmonconfig-export.xml

System Monitor v15.14 - System activity monitor
By Mark Russinovich and Thomas Garnier
Copyright (C) 2014-2024 Microsoft Corporation
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Sysinternals - www.sysinternals.com

Loading configuration file with schema version 4.50
Sysmon schema version: 4.90
Configuration file validated.
The service Sysmon64 is already registered. Uninstall Sysmon before reinstalling.

C:\installers\sysmon>puppet --version
8.4.0

Hi all,

I am setting up new puppet master in AWS and I already have a puppet master configured in on-premise. I created SSL cert for the new AWS master node but when I test from puppet agent getting below error. The agent and puppet master in on-premise connects and works fine without any issue.

These are the details of each puppet master and puppet agent.

AWS Puppet Master on RHEL8
puppet-agent-7.9.0-1.el8.x86_64 puppetserver-7.4.2-1.el8.noarch

On-premise Puppet Master on RHEL7
puppetserver-7.4.2-1.el7.noarch puppet-agent-7.9.0-1.el7.x86_64

On-premise Puppet Agent on RHEL7
puppet-agent-6.8.0-1.el7.x86_64

Warning: Unable to fetch my node definition, but the agent run will continue: Warning: certificate verify failed [unable to get local issuer certificate for CN=xyz.ast.com] Info: Retrieving pluginfacts Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': certificate verify failed [unable to get local issuer certificate for CN=xyz.ast.com] Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: certificate verify failed [unable to get local issuer certificate for CN=xyz.ast..com] Info: Retrieving plugin Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': certificate verify failed [unable to get local issuer certificate for CN=xxx.ast.com] Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: certificate verify failed [unable to get local issuer certificate for CN=xyz.ast.com] Error: Could not retrieve catalog from remote server: certificate verify failed [unable to get local issuer certificate for CN=xyz.ast.com] Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run

[[email protected] ec2-user]# /opt/puppetlabs/bin/puppet agent --test Info: Using configured environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Could not find node statement with name 'default' or 'xyz.ast.com' on node xyz.ast.com Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run Error: Could not send report: Error 500 on SERVER: Server Error: undefined method gsub' for false:FalseClass
[[email protected] ec2-user]# puppet ssl verify
Notice: Verified CA certificate 'CN=Puppet Root CA: ff63bcc6f2ef04' fingerprint (SHA256) 48:3C:9E:6A:91:A1:4A:D9:6A:06:CB:36:F9:36:0D:03:C4:2F:C0:62:7E:89:5A:EB:48:A0:A5:21:E1:B6:8F:43
Notice: Verified CA certificate 'CN=Puppet CA: xyz.ast.com' fingerprint (SHA256) 15:22:BA:FE:40:74:71:52:90:C2:7F:10:CA:5F:DC:0F:10:78:BC:98:21:F3:CC:F7:C2:7E:50:11:A9:23:A4:1F
Notice: Verified client certificate 'CN=xyz.ast.com' fingerprint (SHA256) F8:CA:81:03:4D:C2:EC:52:4B:22:B3:32:0A:6B:3B:67:ED:3B:26:1B:03:A5:D6:44:1B:8A:7F:1D:8B:C3:C7:A0

`

Discussed in #34

Discussed in #35

Describe the Bug

Hi,

i have a question, if i update my puppet code/configs with r10k it updates the config version,
but it seems that the puppet clients still getting the old config-version
(i compared the version-hash on r10k from puppetserver with the configuration version if i do "puppet agent --vt --no-noop).

after i restart the puppetserver-service, then the client gets / uses the new configuration version.

Has anyone an idea what could be the reason for that behaviour ?

thx in advance.

Expected Behavior

puppet clients get immediately the current configuration version if you do a puppet-run instead of the old configuration version.

Environment

• Version puppetserver 7 / puppetclient 7.26
• Platform CentOS 7