Re: Func 0.28 with puppet and EL 5.5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> Hi,
>
> I have been using func 0.24 for awhile with puppet and no problems and decided to upgrade to the latest offered from epel, 0.28. After updating I cannot get even a ping response from the func client on the master.
>
> A func ping results in [FAILED], and running a module like command results in:
> ('func.lsu.edu',
>  ['REMOTE_ERROR',
>   'xmlrpclib.Fault',
>   "<Fault 1: 'func.minion.codes.AccessToMethodDenied:'>"])
>
> The debug logs look like:
>
> 2011-05-23 15:26:24,453 - DEBUG - Loading func.overlord.modules.utils.utils module
> 2011-05-23 15:26:24,454 - WARNING - Could not load  module
> 2011-05-23 15:26:24,454 - WARNING - ['Traceback (most recent call last):\n', '  File "/usr/lib/python2.4/site-packages/func/module_loader.py", line 108, in load_modules\n    blip =  __import__("%s%s" % ( mod_dir,mod_imp_name), globals(), locals(), [mod_imp_name])\n', 'ValueError: Empty module name\n']
> 2011-05-23 15:26:24,455 - DEBUG - Loading func.overlord.modules.copyfile.copyfile module
> 2011-05-23 15:26:24,541 - DEBUG - cn: func.lsu.edu sub_hash: 952665255
> 2011-05-23 15:26:24,543 - DEBUG - current acls {u'ca--1304069296': ['*', 'foo']}
> 2011-05-23 15:26:24,543 - DEBUG - hostkey func.lsu.edu-952665255

Hi Jason,

I've been probably hit by the very same problem.. The short story is
that your overlord node is not sending the right cert to identify
himself to minion.

To fix, I had to change in /etc/func/overlord.conf
#cert_file = /var/lib/puppet/ssl/certs/puppet.example.org.pem
#key_file = /var/lib/puppet/ssl/private_keys/puppet.example.org.pem
cert_file = /var/lib/puppet/ssl/certs/ca.pem
key_file  = /var/lib/puppet/ssl/ca/ca_key.pem

It seems that instruction to setup Puppet/Func integration are inaccurate.

Logging problem: IMHO funcd should report authorization problem
nicely. This is how it looks now:

==> func/func.log <==
2011-06-10 13:03:26,804 - DEBUG - cn: puppet.example.org sub_hash: 710746128
2011-06-10 13:03:26,806 - DEBUG - current acls {u'ca-2990898000': ['*', 'foo']}
2011-06-10 13:03:26,806 - DEBUG - hostkey puppet.example.org-710746128

After some head-scratching I figured out that this means "Incoming
overlord cert has hash 710746128, expected cert (from implicit acl) is
2990898000".
This page was great help, btw (https://fedorahosted.org/func/wiki/FuncSecurity)

Logging on client side could be also improved. Not even on DEBUG level
you can see the response from remote end (for ping).
(desperate, I had to decrypt the session in wireshark)

> 2011-05-23 15:26:24,454 - WARNING - Could not load  module
> 2011-05-23 15:26:24,454 - WARNING - ['Traceback (most recent call last):\n', '  File "/usr/lib/python2.4/site-packages/func/module_loader.py", line 108,

This WARN is totally unrelated..
Then func is walking over files to load, he will come to entry
/usr/lib/python2.4/site-packages/func/overlord/modules/__init__.py
After some processing and stripping __init__.py, he will try to execute..

import func.overlord.modules.        # <-- notice the dot

.. and bomb out. That warning should be harmless.

System: RHEL5.6/Fedora14, func 0.28

Regards,

BranoZ

_______________________________________________
Func-list mailing list
Func-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/func-list


[Index of Archives]     [Fedora Users]     [Linux Networking]     [Fedora Legacy List]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux