1347228 – Installer fails to create puppet keys

Bug 1347228 - Installer fails to create puppet keys

Summary: Installer fails to create puppet keys

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Installation
Sub Component:
Version:	6.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	jcallaha
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1122832
TreeView+	depends on / blocked

Reported:	2016-06-16 10:43 UTC by Peter Vreman
Modified:	2019-09-25 21:19 UTC (History)
CC List:	5 users (show)
Fixed In Version:	foreman-installer-1.11.0.10-1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-08-16 07:11:18 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:1615	0	normal	SHIPPED_LIVE	Satellite 6.2.1 bug fix update	2016-08-16 11:09:48 UTC

Description Peter Vreman 2016-06-16 10:43:02 UTC

Description of problem:
The installer wants to create puppet keys in /var/lib/puppet/ssl/private_keys, but the mandatory directory /var/lib/puppet/ssl is not yet created at that time. See the log below where the ssl dir is created after the private_keys.

Looks like there is a puppet resource dependency missing.

[ INFO 2016-06-16 09:57:02 main]  Class[Puppet::Server::Config]: Scheduling refresh of Concat::Fragment[puppet.conf+30-master]
[ INFO 2016-06-16 09:57:02 main]  Class[Puppet::Server::Config]: Scheduling refresh of Exec[puppet_server_config-create_ssl_dir]
[ INFO 2016-06-16 09:57:02 main]  Class[Puppet::Server::Config]: Scheduling refresh of Anchor[puppet::server::config_start]
[ INFO 2016-06-16 09:57:02 main]  Class[Puppet::Server::Config]: Scheduling refresh of Anchor[puppet::server::config_end]
[ INFO 2016-06-16 09:57:02 main]  Class[Puppet::Server::Config]: Scheduling refresh of Exec[puppet_server_config-generate_ca_cert]
[ WARN 2016-06-16 09:57:02 main]  /Stage[main]/Puppet::Server::Config/File[/var/lib/puppet/reports]/owner: owner changed 'root' to 'puppet'
[ WARN 2016-06-16 09:57:02 main]  /Stage[main]/Puppet::Server::Config/File[/var/lib/puppet/reports]/group: group changed 'root' to 'puppet'
[ WARN 2016-06-16 09:57:02 main]  /Stage[main]/Puppet::Server::Config/File[/var/lib/puppet/reports]/mode: mode changed '0755' to '0750'
[ WARN 2016-06-16 09:57:02 main]  /File[/var/lib/puppet/reports]/seluser: seluser changed 'unconfined_u' to 'system_u'
[DEBUG 2016-06-16 09:57:02 main]  /Stage[main]/Puppet::Server::Config/File[/var/lib/puppet/reports]: The container Class[Puppet::Server::Config] will propagate my refresh event
[DEBUG 2016-06-16 09:57:02 main]  /Stage[main]/Puppet::Server::Config/File[/var/lib/puppet/reports]: The container Class[Puppet::Server::Config] will propagate my refresh event
[DEBUG 2016-06-16 09:57:02 main]  /Stage[main]/Puppet::Server::Config/File[/var/lib/puppet/reports]: The container Class[Puppet::Server::Config] will propagate my refresh event
[DEBUG 2016-06-16 09:57:02 main]  /Stage[main]/Puppet::Server::Config/File[/var/lib/puppet/reports]: The container Class[Puppet::Server::Config] will propagate my refresh event
[ERROR 2016-06-16 09:57:02 main]  Cannot create /var/lib/puppet/ssl/private_keys; parent directory /var/lib/puppet/ssl does not exist
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/type/file/ensure.rb:83:in `set_directory'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/property.rb:197:in `send'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/property.rb:197:in `call_valuemethod'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/property.rb:498:in `set'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/property.rb:581:in `sync'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/type/file/ensure.rb:183:in `sync'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/transaction/resource_harness.rb:191:in `sync'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/transaction/resource_harness.rb:128:in `sync_if_needed'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/transaction/resource_harness.rb:81:in `perform_changes'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/transaction/resource_harness.rb:20:in `evaluate'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:174:in `apply'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:187:in `eval_resource'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:117:in `call'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:117:in `evaluate'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:327:in `thinmark'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/1.8/benchmark.rb:308:in `realtime'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:326:in `thinmark'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:117:in `evaluate'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/graph/relationship_graph.rb:118:in `traverse'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/transaction.rb:108:in `evaluate'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/resource/catalog.rb:167:in `apply'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/util/log.rb:149:in `with_destination'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/transaction/report.rb:112:in `as_logging_destination'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/resource/catalog.rb:166:in `apply'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:117:in `apply_catalog'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:161:in `benchmark'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/1.8/benchmark.rb:308:in `realtime'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:160:in `benchmark'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:116:in `apply_catalog'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:191:in `run'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/application/apply.rb:288:in `apply_catalog'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/application/apply.rb:228:in `main'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/context.rb:64:in `override'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet.rb:234:in `override'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/application/apply.rb:190:in `main'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/application/apply.rb:151:in `run_command'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:371:in `run'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:477:in `plugin_hook'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:371:in `run'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:479:in `exit_on_fail'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:371:in `run'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb:137:in `run'
[ INFO 2016-06-16 09:57:02 main] /usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb:91:in `execute'
[ INFO 2016-06-16 09:57:02 main] /usr/bin/puppet:8
[ERROR 2016-06-16 09:57:02 main]  /Stage[main]/Puppet::Server::Config/File[/var/lib/puppet/ssl/private_keys]/ensure: change from absent to directory failed: Cannot create /var/lib/puppet/ssl/private_keys; parent directory /var/lib/puppet/ssl does not exist
[DEBUG 2016-06-16 09:57:02 main]  Exec[puppet_server_config-create_ssl_dir](provider=posix): Executing '/bin/mkdir -p /var/lib/puppet/ssl'
[DEBUG 2016-06-16 09:57:02 main]  Executing '/bin/mkdir -p /var/lib/puppet/ssl'
[ WARN 2016-06-16 09:57:02 main]  /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-create_ssl_dir]/returns: executed successfully
[DEBUG 2016-06-16 09:57:02 main]  /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-create_ssl_dir]: The container Class[Puppet::Server::Config] will propagate my refresh event
[ WARN 2016-06-16 09:57:02 main]  /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-create_ssl_dir]: Triggered 'refresh' from 1 events
[DEBUG 2016-06-16 09:57:02 main]  /Stage[main]/Puppet::Server::Config/Exec[puppet_server_config-create_ssl_dir]: The container Class[Puppet::Server::Config] will propagate my refresh event


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Fresh system
2. yum install satellite
1. satellite-installer --scenario=satellite --verbose --foreman-admin-email=root@$(hostname -f) --enable-foreman-plugin-openscap --enable-foreman-plugin-remote-execution --foreman-proxy-tftp=true --foreman-proxy-puppetca=true --foreman-proxy-dhcp=false --foreman-proxy-dns=false --enable-foreman-proxy-plugin-openscap --enable-foreman-proxy-plugin-remote-execution-ssh
2.
3.

Actual results:
Puppet failure

Expected results:
Installation success

Additional info:

Comment 1 Peter Vreman 2016-06-16 10:47:58 UTC

Before the installer i always start with an fresh puppet instalaltion by using the following commands:

rm -rf /etc/puppet /var/lib/puppet
yum reinstall -y puppet

Comment 2 Peter Vreman 2016-06-16 10:56:51 UTC

Checking the puppet module in /usr/share/foreman-installer/modules/puppet/manifests/server/config.pp it is clear that the 'require' is missing on create the parent dirs:

  ## SSL and CA configuration
  # Open read permissions to private keys to puppet group for foreman, proxy etc.
  file { "${puppet::server_ssl_dir}/private_keys":
    ensure => directory,
    owner  => $puppet::server_user,
    group  => $puppet::server_group,
    mode   => '0750',
  }

  file { "${puppet::server_ssl_dir}/private_keys/${::fqdn}.pem":
    owner => $puppet::server_user,
    group => $puppet::server_group,
    mode  => '0640',
  }

Comment 3 Peter Vreman 2016-06-16 11:49:43 UTC

Upstream PR https://github.com/theforeman/puppet-puppet/pull/394

Comment 5 jcallaha 2016-08-04 20:52:58 UTC

Verified in Satellite 6.2.1

After install, this is shown in the puppet config file

  ## SSL and CA configuration
  # Open read permissions to private keys to puppet group for foreman, proxy etc.
  file { "${puppet::server_ssl_dir}/private_keys":
    ensure  => directory,
    owner   => $puppet::server_user,
    group   => $puppet::server_group,
    mode    => '0750',
    require => Exec['puppet_server_config-create_ssl_dir'],
  }

Comment 7 errata-xmlrpc 2016-08-16 07:11:18 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1615

Note You need to log in before you can comment on or make changes to this bug.