Description of problem: The installer wants to create puppet keys in /var/lib/puppet/ssl/private_keys, but the mandatory directory /var/lib/puppet/ssl is not yet created at that time. See the log below where the ssl dir is created after the private_keys. Looks like there is a puppet resource dependency missing. [ INFO 2016-06-16 09:57:02 main] Class[Puppet::Server::Config]: Scheduling refresh of Concat::Fragment[puppet.conf+30-master] [ INFO 2016-06-16 09:57:02 main] Class[Puppet::Server::Config]: Scheduling refresh of Exec[puppet_server_config-create_ssl_dir] [ INFO 2016-06-16 09:57:02 main] Class[Puppet::Server::Config]: Scheduling refresh of Anchor[puppet::server::config_start] [ INFO 2016-06-16 09:57:02 main] Class[Puppet::Server::Config]: Scheduling refresh of Anchor[puppet::server::config_end] [ INFO 2016-06-16 09:57:02 main] Class[Puppet::Server::Config]: Scheduling refresh of Exec[puppet_server_config-generate_ca_cert] [ WARN 2016-06-16 09:57:02 main] /Stage[main]/Puppet::Server::Config/File[/var/lib/puppet/reports]/owner: owner changed 'root' to 'puppet' [ WARN 2016-06-16 09:57:02 main] /Stage[main]/Puppet::Server::Config/File[/var/lib/puppet/reports]/group: group changed 'root' to 'puppet' [ WARN 2016-06-16 09:57:02 main] /Stage[main]/Puppet::Server::Config/File[/var/lib/puppet/reports]/mode: mode changed '0755' to '0750' [ WARN 2016-06-16 09:57:02 main] /File[/var/lib/puppet/reports]/seluser: seluser changed 'unconfined_u' to 'system_u' [DEBUG 2016-06-16 09:57:02 main] /Stage[main]/Puppet::Server::Config/File[/var/lib/puppet/reports]: The container Class[Puppet::Server::Config] will propagate my refresh event [DEBUG 2016-06-16 09:57:02 main] /Stage[main]/Puppet::Server::Config/File[/var/lib/puppet/reports]: The container Class[Puppet::Server::Config] will propagate my refresh event [DEBUG 2016-06-16 09:57:02 main] /Stage[main]/Puppet::Server::Config/File[/var/lib/puppet/reports]: The container Class[Puppet::Server::Config] will propagate my refresh event [DEBUG 2016-06-16 09:57:02 main] /Stage[main]/Puppet::Server::Config/File[/var/lib/puppet/reports]: The container Class[Puppet::Server::Config] will propagate my refresh event [ERROR 2016-06-16 09:57:02 main] Cannot create /var/lib/puppet/ssl/private_keys; parent directory /var/lib/puppet/ssl does not exist [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/type/file/ensure.rb:83:in `set_directory' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/property.rb:197:in `send' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/property.rb:197:in `call_valuemethod' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/property.rb:498:in `set' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/property.rb:581:in `sync' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/type/file/ensure.rb:183:in `sync' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/transaction/resource_harness.rb:191:in `sync' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/transaction/resource_harness.rb:128:in `sync_if_needed' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/transaction/resource_harness.rb:81:in `perform_changes' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/transaction/resource_harness.rb:20:in `evaluate' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:174:in `apply' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:187:in `eval_resource' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:117:in `call' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:117:in `evaluate' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:327:in `thinmark' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/1.8/benchmark.rb:308:in `realtime' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:326:in `thinmark' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:117:in `evaluate' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/graph/relationship_graph.rb:118:in `traverse' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:108:in `evaluate' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/resource/catalog.rb:167:in `apply' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/util/log.rb:149:in `with_destination' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/transaction/report.rb:112:in `as_logging_destination' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/resource/catalog.rb:166:in `apply' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:117:in `apply_catalog' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:161:in `benchmark' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/1.8/benchmark.rb:308:in `realtime' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:160:in `benchmark' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:116:in `apply_catalog' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:191:in `run' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/application/apply.rb:288:in `apply_catalog' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/application/apply.rb:228:in `main' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/context.rb:64:in `override' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet.rb:234:in `override' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/application/apply.rb:190:in `main' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/application/apply.rb:151:in `run_command' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:371:in `run' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:477:in `plugin_hook' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:371:in `run' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:479:in `exit_on_fail' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:371:in `run' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb:137:in `run' [ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb:91:in `execute' [ INFO 2016-06-16 09:57:02 main] /usr/bin/puppet:8 [ERROR 2016-06-16 09:57:02 main] /Stage[main]/Puppet::Server::Config/File[/var/lib/puppet/ssl/private_keys]/ensure: change from absent to directory failed: Cannot create /var/lib/puppet/ssl/private_keys; parent directory /var/lib/puppet/ssl does not exist [DEBUG 2016-06-16 09:57:02 main] Exec[puppet_server_config-create_ssl_dir](provider=posix): Executing '/bin/mkdir -p /var/lib/puppet/ssl' [DEBUG 2016-06-16 09:57:02 main] Executing '/bin/mkdir -p /var/lib/puppet/ssl' [ WARN 2016-06-16 09:57:02 main] /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-create_ssl_dir]/returns: executed successfully [DEBUG 2016-06-16 09:57:02 main] /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-create_ssl_dir]: The container Class[Puppet::Server::Config] will propagate my refresh event [ WARN 2016-06-16 09:57:02 main] /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-create_ssl_dir]: Triggered 'refresh' from 1 events [DEBUG 2016-06-16 09:57:02 main] /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-create_ssl_dir]: The container Class[Puppet::Server::Config] will propagate my refresh event Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Fresh system 2. yum install satellite 1. satellite-installer --scenario=satellite --verbose --foreman-admin-email=root@$(hostname -f) --enable-foreman-plugin-openscap --enable-foreman-plugin-remote-execution --foreman-proxy-tftp=true --foreman-proxy-puppetca=true --foreman-proxy-dhcp=false --foreman-proxy-dns=false --enable-foreman-proxy-plugin-openscap --enable-foreman-proxy-plugin-remote-execution-ssh 2. 3. Actual results: Puppet failure Expected results: Installation success Additional info:
Before the installer i always start with an fresh puppet instalaltion by using the following commands: rm -rf /etc/puppet /var/lib/puppet yum reinstall -y puppet
Checking the puppet module in /usr/share/foreman-installer/modules/puppet/manifests/server/config.pp it is clear that the 'require' is missing on create the parent dirs: ## SSL and CA configuration # Open read permissions to private keys to puppet group for foreman, proxy etc. file { "${puppet::server_ssl_dir}/private_keys": ensure => directory, owner => $puppet::server_user, group => $puppet::server_group, mode => '0750', } file { "${puppet::server_ssl_dir}/private_keys/${::fqdn}.pem": owner => $puppet::server_user, group => $puppet::server_group, mode => '0640', }
Upstream PR https://github.com/theforeman/puppet-puppet/pull/394
Verified in Satellite 6.2.1 After install, this is shown in the puppet config file ## SSL and CA configuration # Open read permissions to private keys to puppet group for foreman, proxy etc. file { "${puppet::server_ssl_dir}/private_keys": ensure => directory, owner => $puppet::server_user, group => $puppet::server_group, mode => '0750', require => Exec['puppet_server_config-create_ssl_dir'], }
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1615