Jira (PDB-5085) puppetdb module break puppetserver when both are installed on same machine

15 views
Skip to first unread message

Adrian Iurca (Jira)

unread,
Mar 30, 2021, 6:54:04 PM3/30/21
to puppe...@googlegroups.com
Adrian Iurca created an issue
 
PuppetDB / Bug PDB-5085
puppetdb module break puppetserver when both are installed on same machine
Issue Type: Bug Bug
Assignee: Unassigned
Components: PuppetDB
Created: 2021/03/30 3:53 PM
Priority: Normal Normal
Reporter: Adrian Iurca

When puppetdb is installed on same machine as puppetserver using puppetdb module puppetserver can't communicate with his agents anymore. After I flush all rules from iptables and restart puppetserver all works good.

Steps to reproduce:
1. setup puppet server with one agent
2. use this site.pp

node default {}
 
 
 
node 'agent_hostname' {
 
  notify { 'Hello':
 
    message => 'Hello from server',
 
  }
 
}
 
 
 
node 'puppetserver_hostname' {
 
  class { 'puppetdb': }
 
  class { 'puppetdb::master::config': }
 
}

3. run puppet agent -t on puppetserver machine to install puppetdb
4. run puppet agent -t on agent machine

Actual behavior: the agent can't communicate with server

Error: Connection to https://smaller-mandrel.delivery.puppetlabs.net:8140/puppet/v3 failed, trying next route: Request to https://smaller-mandrel.delivery.puppetlabs.net:8140/puppet/v3 failed after 0.002 seconds: Failed to open TCP connection to smaller-mandrel.delivery.puppetlabs.net:8140 (No route to host - connect(2) for "smaller-mandrel.delivery.puppetlabs.net" port 8140)
 
Wrapped exception:
 
Failed to open TCP connection to smaller-mandrel.delivery.puppetlabs.net:8140 (No route to host - connect(2) for "smaller-mandrel.delivery.puppetlabs.net" port 8140)
 
Warning: Unable to fetch my node definition, but the agent run will continue:
 
Warning: No more routes to puppet
 
Info: Retrieving pluginfacts
 
Error: Connection to https://smaller-mandrel.delivery.puppetlabs.net:8140/puppet/v3 failed, trying next route: Request to https://smaller-mandrel.delivery.puppetlabs.net:8140/puppet/v3 failed after 0.001 seconds: Failed to open TCP connection to smaller-mandrel.delivery.puppetlabs.net:8140 (No route to host - connect(2) for "smaller-mandrel.delivery.puppetlabs.net" port 8140)
 
Wrapped exception:
 
Failed to open TCP connection to smaller-mandrel.delivery.puppetlabs.net:8140 (No route to host - connect(2) for "smaller-mandrel.delivery.puppetlabs.net" port 8140)
 
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': No more routes to fileserver
 
Error: Connection to https://smaller-mandrel.delivery.puppetlabs.net:8140/puppet/v3 failed, trying next route: Request to https://smaller-mandrel.delivery.puppetlabs.net:8140/puppet/v3 failed after 0.001 seconds: Failed to open TCP connection to smaller-mandrel.delivery.puppetlabs.net:8140 (No route to host - connect(2) for "smaller-mandrel.delivery.puppetlabs.net" port 8140)
 
Wrapped exception:
 
Failed to open TCP connection to smaller-mandrel.delivery.puppetlabs.net:8140 (No route to host - connect(2) for "smaller-mandrel.delivery.puppetlabs.net" port 8140)
 
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: No more routes to fileserver
 
Info: Retrieving plugin
 
Error: Connection to https://smaller-mandrel.delivery.puppetlabs.net:8140/puppet/v3 failed, trying next route: Request to https://smaller-mandrel.delivery.puppetlabs.net:8140/puppet/v3 failed after 0.001 seconds: Failed to open TCP connection to smaller-mandrel.delivery.puppetlabs.net:8140 (No route to host - connect(2) for "smaller-mandrel.delivery.puppetlabs.net" port 8140)
 
Wrapped exception:
 
Failed to open TCP connection to smaller-mandrel.delivery.puppetlabs.net:8140 (No route to host - connect(2) for "smaller-mandrel.delivery.puppetlabs.net" port 8140)
 
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': No more routes to fileserver
 
Error: Connection to https://smaller-mandrel.delivery.puppetlabs.net:8140/puppet/v3 failed, trying next route: Request to https://smaller-mandrel.delivery.puppetlabs.net:8140/puppet/v3 failed after 0.001 seconds: Failed to open TCP connection to smaller-mandrel.delivery.puppetlabs.net:8140 (No route to host - connect(2) for "smaller-mandrel.delivery.puppetlabs.net" port 8140)
 
Wrapped exception:
 
Failed to open TCP connection to smaller-mandrel.delivery.puppetlabs.net:8140 (No route to host - connect(2) for "smaller-mandrel.delivery.puppetlabs.net" port 8140)
 
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: No more routes to fileserver
 
Error: Connection to https://smaller-mandrel.delivery.puppetlabs.net:8140/puppet/v3 failed, trying next route: Request to https://smaller-mandrel.delivery.puppetlabs.net:8140/puppet/v3 failed after 0.001 seconds: Failed to open TCP connection to smaller-mandrel.delivery.puppetlabs.net:8140 (No route to host - connect(2) for "smaller-mandrel.delivery.puppetlabs.net" port 8140)
 
Wrapped exception:
 
Failed to open TCP connection to smaller-mandrel.delivery.puppetlabs.net:8140 (No route to host - connect(2) for "smaller-mandrel.delivery.puppetlabs.net" port 8140)
 
Error: Could not retrieve catalog from remote server: No more routes to puppet
 
Warning: Not using cache on failed catalog
 
Error: Could not retrieve catalog; skipping run
 
Error: Connection to https://smaller-mandrel.delivery.puppetlabs.net:8140/puppet/v3 failed, trying next route: Request to https://smaller-mandrel.delivery.puppetlabs.net:8140/puppet/v3 failed after 1.002 seconds: Failed to open TCP connection to smaller-mandrel.delivery.puppetlabs.net:8140 (No route to host - connect(2) for "smaller-mandrel.delivery.puppetlabs.net" port 8140)
 
Wrapped exception:
 
Failed to open TCP connection to smaller-mandrel.delivery.puppetlabs.net:8140 (No route to host - connect(2) for "smaller-mandrel.delivery.puppetlabs.net" port 8140)
 
Error: Could not send report: No more routes to report

Expected behavior: The agent should be able to communicate with the server

Workaround used:
1. run iptables -F on server machine
2. run systemctl restart puppetserver on server machine
... and now the agent can communicate with server
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Atlassian logo

Austin Blatt (Jira)

unread,
Mar 30, 2021, 7:21:04 PM3/30/21
to puppe...@googlegroups.com
Austin Blatt commented on Bug PDB-5085
 
Re: puppetdb module break puppetserver when both are installed on same machine

Adrian Iurca thanks for reporting this, I will think about if there are any problems with adding this functionality to the module, but in the meantime you can add this to your manifest if you don't want to have to remove the firewall rules entirely.

firewall { '8140 accept - puppetserver':
 
  dport  => 8140,
 
  proto  => 'tcp',
 
  action => 'accept',
 
}

You can also have the PuppetDB module not manage the firewall at all by disabling the manage_firewall parameter.

Adrian Iurca (Jira)

unread,
Mar 30, 2021, 7:32:04 PM3/30/21
to puppe...@googlegroups.com
Adrian Iurca commented on Bug PDB-5085

I created a PR that seems to solve the problem
https://github.com/puppetlabs/puppetlabs-puppetdb/pull/326

kind regards,
Adrian IURCA

Adrian Iurca (Jira)

unread,
Mar 31, 2021, 9:55:03 AM3/31/21
to puppe...@googlegroups.com
Adrian Iurca commented on Bug PDB-5085

Hi Austin Blatt, thanks for your reply. Is a good idea the rule in the manifest, but I think it will be necessary to add in readme about how to use puppetdb module when you want to install puppetdb on puppetserver's machine. According to the readme on the single node setup section there not saying anything about manage_firewall must be set on false https://forge.puppet.com/modules/puppetlabs/puppetdb?_ga=2.194996461.1700039401.1617116539-1776870735.1584969090&_gac=1.87989994.1615388555.Cj0KCQiA-aGCBhCwARIsAHDl5x9kR-8_UunAgAcUc-QA95MZrZgfH8ddGI1a_Z1AMtWI6Hj9KWem0swaAlllEALw_wcB#single-node-setup. But I still consider that this could be seen as a bug because when you want manage firewall on single node setup the puppetserver port should be opened by default.

Kind regards,
Adrian IURCA

Adrian Iurca (Jira)

unread,
Mar 31, 2021, 9:58:03 AM3/31/21
to puppe...@googlegroups.com
Adrian Iurca commented on Bug PDB-5085

I don't think the updates from PR could cause some breaks because it just opens a port.

Adrian Iurca (Jira)

unread,
Mar 31, 2021, 9:59:04 AM3/31/21
to puppe...@googlegroups.com
Adrian Iurca commented on Bug PDB-5085

But also this should be tested properly to be sure that other functionalities are still working as expected.

kind regards,
Adrian IURCA

Adrian Iurca (Jira)

unread,
Jul 8, 2021, 5:30:07 AM7/8/21
to puppe...@googlegroups.com
Adrian Iurca commented on Bug PDB-5085

Hi Austin Blatt, is there a chance to have the fix merged?

kind regards,
Adrian Iurca
This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97)
Atlassian logo

Romain Tartière

unread,
Feb 7, 2022, 11:01:04 PM2/7/22
to puppe...@googlegroups.com

I would not expect a puppetdb module to adjust firewall rules for the puppetserver…  Firewall configuration is somewhat site specific, managing firewall rules related to a service from the module that manage the service does not really makes sense IMHO: as any site-specific config it should rather live in a profile where other site specific aspects — e.g. logging rules — for the service all also managed.
This message was sent by Atlassian Jira (v8.20.2#820002-sha1:829506d)
Atlassian logo

David McTavish (Jira)

unread,
Feb 10, 2022, 9:23:01 AM2/10/22
to puppe...@googlegroups.com
David McTavish updated an issue
 
Change By: David McTavish
Labels: has_workaround

David McTavish (Jira)

unread,
Feb 10, 2022, 9:24:02 AM2/10/22
to puppe...@googlegroups.com
David McTavish updated an issue
Change By: David McTavish
Method Found: Needs Assessment
Issue Type: Bug Story
Reply all
Reply to author
Forward
0 new messages