Description of problem: I've got a strange problem on some hosts. Puppet clients connect to the puppet master server, grab their catalog, but don't even try to download their files from puppet fileserver (source or template). Log on the puppet master (client SELINUX=enforcing or permissive): -------------------------------------------------------------------------------- Mar 22 19:21:40 master puppetmasterd[25060]: Expiring the node cache of taygeta.in.my.domain.net Mar 22 19:21:40 master puppetmasterd[25060]: Not using expired node for taygeta.in.my.domain.net from cache; expired at Sun Mar 22 19:20:40 +0100 2009 Mar 22 19:21:40 master puppetmasterd[25060]: Caching node for taygeta.in.my.domain.net Mar 22 19:21:41 master puppetmasterd[25060]: Autoloaded module network Mar 22 19:21:41 master puppetmasterd[25060]: Autoloaded module smarthost Mar 22 19:21:41 master puppetmasterd[25060]: (Scope(Class[smarthost])) relay host not defined, using default Mar 22 19:21:41 master puppetmasterd[25060]: (Scope(Class[smarthost])) relay host defined: 172.16.3.1 Mar 22 19:21:41 master puppetmasterd[25060]: Autoloaded module yum-updatesd Mar 22 19:21:41 master puppetmasterd[25060]: Autoloaded module munin-node Mar 22 19:21:42 master puppetmasterd[25060]: Autoloaded module func Mar 22 19:21:42 master puppetmasterd[25060]: Autoloaded module func Mar 22 19:21:42 master puppetmasterd[25060]: Compiled catalog for taygeta.in.my.domain.net in 1.35 seconds -------------------------------------------------------------------------------- Now, if I set SeLinux to disabled on those clients, it works perfectly. Log on the puppet master (client SELINUX=disabled): -------------------------------------------------------------------------------- Mar 22 19:26:36 master puppetmasterd[25060]: Expiring the node cache of taygeta.in.my.domain.net Mar 22 19:26:36 master puppetmasterd[25060]: Not using expired node for taygeta.in.my.domain.net from cache; expired at Sun Mar 22 19:25:36 +0100 2009 Mar 22 19:26:36 master puppetmasterd[25060]: Caching node for taygeta.in.my.domain.net Mar 22 19:26:36 master puppetmasterd[25060]: (Scope(Class[smarthost])) relay host not defined, using default Mar 22 19:26:36 master puppetmasterd[25060]: (Scope(Class[smarthost])) relay host defined: 172.16.3.1 Mar 22 19:26:37 master puppetmasterd[25060]: Compiled catalog for taygeta.in.my.domain.net in 0.60 seconds Mar 22 19:26:39 master puppetmasterd[25060]: (mount[func]) Sending /func/minion.conf to taygeta.in.my.domain.net Mar 22 19:27:46 master puppetmasterd[25060]: (Filebucket[/var/lib/puppet/bucket]) Adding /etc/hosts(77e5627ac7ecb8272537b0c21df17509) from taygeta.in.my.domain.net Mar 22 19:27:46 master puppetmasterd[25060]: (Filebucket[/var/lib/puppet/bucket]) Adding /etc/munin/munin-node.conf(d3c68bb49ead97ed80dc09ff93dd7677) from taygeta.in.my.domain.net Mar 22 19:27:49 master puppetmasterd[25060]: (mount[smarthost]) Sending /smarthost/aliases to taygeta.in.my.domain.net Mar 22 19:28:20 master puppetmasterd[25060]: (Filebucket[/var/lib/puppet/bucket]) Adding /etc/yum/yum-updatesd.conf(6561f7f46ec1c661100bdba640329d50) from taygeta.in.my.domain.net Mar 22 19:28:21 master puppetmasterd[25060]: (mount[func]) Sending /func/func_minion.conf to taygeta.in.my.domain.net Mar 22 19:29:15 master puppetmasterd[25060]: Expiring the node cache of taygeta.in.my.domain.net Mar 22 19:29:15 master puppetmasterd[25060]: Not using expired node for taygeta.in.my.domain.net from cache; expired at Sun Mar 22 19:28:15 +0100 2009 Mar 22 19:29:15 master puppetmasterd[25060]: Caching node for taygeta.in.my.domain.net Mar 22 19:29:15 master puppetmasterd[25060]: (Scope(Class[smarthost])) relay host not defined, using default Mar 22 19:29:15 master puppetmasterd[25060]: (Scope(Class[smarthost])) relay host defined: 172.16.3.1 Mar 22 19:29:16 master puppetmasterd[25060]: Compiled catalog for taygeta.in.my.domain.net in 0.61 seconds -------------------------------------------------------------------------------- It's strange because there's nothing in the audit.log saying that selinux has denied any action to puppetd. Moreover, if I try: # puppetd --test --server master It works! Version-Release number of selected component (if applicable): puppet-0.24.7-4.fc10.noarch puppet-0.24.7-5.fc11.noarch How reproducible: seems static Steps to Reproduce: 1. boot with SELINUX=enforcing or SELINUX=permissive 2. make some changes in files provided by the puppet master 3. start puppet on the client 4. reboot with SELINUX=disabled 5. start puppet on the client Actual results: Files are not downloaded or written on the client Expected results: Files should be downloaded and written on the client
This sounds similar to the problem from upstream ticket 1963¹. This is fixed in the current 0.24.8rc1 (which is slated to be released as 0.24.8 in the next day or so). If you can, you might want to test the packages I made for 0.24.8rc1 and see if the problem persists. Those packages are at: http://tmz.fedorapeople.org/repo/puppet/ ¹ http://projects.reductivelabs.com/issues/show/1963
I have upgraded my clients to puppet-0.24.8-0.1.rc1.fc10.noarch.rpm and it works perfectly with selinux. Thank you!
Thanks for testing and confirming this fixed the problem. Puppet 0.24.8 was released yesterday and has been built for rawhide¹. It might take a few days or so for it to show up due to the F11 Beta freeze. ¹ https://koji.fedoraproject.org/koji/buildinfo?buildID=95192