auth.conf is below.
First, we have some simple classes that we use to manage files and packages that do not need to be in a module. For example, /etc/puppet/files/etc/ntp.conf is a file I distribute to all our internal systems and I use this very simple recipe to manage them, which works fine under 2.7:
[ ntp-client.pp ]
class ntp-client {
file { "/etc/ntp.conf":
owner => root,
group => root,
mode => 644,
source => "puppet:///etc/ntp.conf",
require => [ Package["ntp"] ],
notify => Service["ntpd"],
}
package { "ntp":
ensure => latest,
}
service { "ntpd":
ensure => running,
hasrestart => true,
subscribe => File["/etc/ntp.conf"],
}
} # ntp-client
From what I read in the docs, this /should/ work. But it doesn't. I shouldn't have to create a module path in order for this recipe to work (as I've seen suggested, or I've misunderstood).
Here is the auth.conf file:
[ auth.conf ]
# This is an example auth.conf file, it mimics the puppetmasterd defaults
#
# The ACL are checked in order of appearance in this file.
#
# Supported syntax:
# This file supports two different syntax depending on how
# you want to express the ACL.
#
# Path syntax (the one used below):
# ---------------------------------
# path /path/to/resource
# [environment envlist]
# [method methodlist]
# [auth[enthicated] {yes|no|on|off|any}]
# allow [host|ip|*]
# deny [host|ip]
#
# The path is matched as a prefix. That is /file match at
# the same time /file_metadat and /file_content.
#
# Regex syntax:
# -------------
# This one is differenciated from the path one by a '~'
#
# path ~ regex
# [environment envlist]
# [method methodlist]
# [auth[enthicated] {yes|no|on|off|any}]
# allow [host|ip|*]
# deny [host|ip]
#
# The regex syntax is the same as ruby ones.
#
# Ex:
# path ~ .pp$
# will match every resource ending in .pp (manifests files for instance)
#
# path ~ ^/path/to/resource
# is essentially equivalent to path /path/to/resource
#
# environment:: restrict an ACL to a specific set of environments
# method:: restrict an ACL to a specific set of methods
# auth:: restrict an ACL to an authenticated or unauthenticated request
# the default when unspecified is to restrict the ACL to authenticated requests
# (ie exactly as if auth yes was present).
#
### Authenticated ACL - those applies only when the client
### has a valid certificate and is thus authenticated
# allow nodes to retrieve their own catalog (ie their configuration)
path ~ ^/catalog/([^/]+)$
method find
allow $1
# allow all nodes to access the certificates services
path /certificate_revocation_list/ca
method find
allow *
# allow all nodes to store their reports
path /report
method save
allow *
# inconditionnally allow access to all files services
# which means in practice that fileserver.conf will
# still be used
# path /file
# allow *
# Note that nothing here works, regardless of the CIDR
path ~ ^/file_(metadata|content)/files/
auth yes
### Unauthenticated ACL, for clients for which the current master doesn't
### have a valid certificate
# allow access to the master CA
path /certificate/ca
auth no
method find
allow *
path /certificate/
auth no
method find
allow *
path /certificate_request
auth no
method find, save
allow *
# this one is not stricly necessary, but it has the merit
# to show the default policy which is deny everything else
path /
# allow *
auth any
Here are some of the errors I'm seeing today. I do not have any other modules or classes defined here, just the ntp-client.pp on the staging system:
Oct 30 17:50:38 stage1 puppet-agent[3421]: catalog supports formats: b64_zlib_yaml dot pson raw yaml; using pson
Oct 30 17:50:38 stage1 puppet-agent[3421]: Caching catalog for
stage1.mydomain.com
Oct 30 17:50:38 stage1 puppet-agent[3421]: Creating default schedules
Oct 30 17:50:38 stage1 puppet-agent[3421]: Loaded state in 0.00 seconds
Oct 30 17:50:38 stage1 puppet-agent[3421]: Applying configuration version '1351630198'
Oct 30 17:50:38 stage1 puppet-agent[3421]: (/Stage[main]/Ntp-client/Service[ntpd]/subscribe) subscribes to File[/etc/ntp.conf]
Oct 30 17:50:38 stage1 puppet-agent[3421]: (/Stage[main]/Ntp-client/File[/etc/ntp.conf]/require) requires Package[ntp]
Oct 30 17:50:38 stage1 puppet-agent[3421]: (/Stage[main]/Ntp-client/File[/etc/ntp.conf]/notify) subscribes to Service[ntpd]
Oct 30 17:50:38 stage1 puppet-agent[3421]: (/Schedule[daily]) Skipping device resources because running on a host
Oct 30 17:50:38 stage1 puppet-agent[3421]: (/Schedule[monthly]) Skipping device resources because running on a host
Oct 30 17:50:38 stage1 puppet-agent[3421]: (/Schedule[hourly]) Skipping device resources because running on a host
Oct 30 17:50:38 stage1 puppet-agent[3421]: Prefetching yum resources for package
Oct 30 17:50:38 stage1 puppet-agent[3421]: Executing '/bin/rpm --version'
Oct 30 17:50:38 stage1 puppet-agent[3421]: Executing '/bin/rpm -qa
--nosignature --nodigest --qf '%{NAME} %|EPOCH?{%{EPOCH}}:{0}|
%{VERSION} %{RELEASE} %{ARCH}
Oct 30 17:50:38 stage1 puppet-agent[3421]: ''
Oct 30 17:50:38 stage1 puppet-agent[3421]: Executing '/usr/bin/python
/usr/local/lib/ruby/gems/1.8/gems/puppet-3.0.1/lib/puppet/provider/package/yumhelper.py'
Oct 30 17:50:40 stage1 puppet-agent[3421]: file_metadata supports formats: b64_zlib_yaml pson raw yaml; using pson
Oct 30 17:50:40 stage1 puppet-agent[3421]:
(/Stage[main]/Ntp-client/File[/etc/ntp.conf]) Could not evaluate: Error
403 on SERVER: Forbidden request:
stage1.mydomain.com(127.0.0.1) access
to /file_metadata/etc/ntp.conf [find] authenticated at :100 Could not
retrieve file metadata for puppet:///etc/ntp.conf: Error 403 on SERVER:
Forbidden request:
stage1.mydomain.com(127.0.0.1) access to
/file_metadata/etc/ntp.conf [find] authenticated at :100
Oct 30 17:50:40 stage1 puppet-agent[3421]: (/Schedule[never]) Skipping device resources because running on a host
Oct 30 17:50:40 stage1 puppet-agent[3421]: (/Schedule[weekly]) Skipping device resources because running on a host
Oct 30 17:50:40 stage1 puppet-agent[3421]:
(/Stage[main]/Ntp-client/Service[ntpd]) Dependency File[/etc/ntp.conf]
has failures: true
Oct 30 17:50:40 stage1 puppet-agent[3421]: (/Stage[main]/Ntp-client/Service[ntpd]) Skipping because of failed dependencies
Oct 30 17:50:40 stage1 puppet-agent[3421]: (/Schedule[puppet]) Skipping device resources because running on a host
Oct 30 17:50:40 stage1 puppet-agent[3421]: Finishing transaction 23478903583320
Oct 30 17:50:40 stage1 puppet-agent[3421]: Storing state
Oct 30 17:50:40 stage1 puppet-agent[3421]: Stored state in 0.01 seconds
Oct 30 17:50:40 stage1 puppet-agent[3421]: Finished catalog run in 2.03 seconds
Oct 30 17:50:40 stage1 puppet-agent[3421]: Value of
'preferred_serialization_format' (pson) is invalid for report, using
default (b64_zlib_yaml)
Oct 30 17:50:40 stage1 puppet-agent[3421]: report supports formats: b64_zlib_yaml raw yaml; using b64_zlib_yaml