GCE based puppet agent connection to master fails
michael...@ul.ie
Networking
I have added a firewall rule to GCE to allow 8140 tcp from my puppet master to instances connected to the network where my agent resides.
I have disabled firewalls on master and agent for testing.
I can ping the master from agent by IP, FQDN and "puppet"
I can ping the agent from master by IP & FQDN
On master
puppet cert list shows no certs outstanding
running wireshark on master shows only icmp traffic from agent at the time of cert request
On agent:
[root@server]# puppet agent --server MYFQDNMASTER --waitforcert 60 --test
Error: Could not request certificate: Connection timed out - connect(2)
I installed puppet (agent) from puppetlabs RHEL repo and puppet --version reports 3.4.3
Puppet master is from foreman 1.4.1 and reports version as 2.7.23 for both master and agent
service puppet status reports its running on the agent
I edited /etc/puppet/puppet.conf on the agent to be
# The Puppet log directory.
# The default value is '$vardir/log'.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
server = FQDN of my puppet master
report = true
pluginsync = true
certname = FQDN of agent
José Luis Ledesma
Hi,
I think that 8140 should be bidirectional.
Regards,
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/85f85794-eb0e-407f-99ed-c17080ef2d69%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Michael.OBrien
Wouldn’t it be bidirectional if the agent’s firewall was off because GCE doesn’t block outgoing traffic with its firewall?
--
You received this message because you are subscribed to a topic in the Google Groups "Puppet Users" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/puppet-users/GaX5OZD8XTE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
puppet-users...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAF_B3dfFw3YBzoQtqSinPQJcy1MoSufeGkqtPCPrz%3De5xEeM1A%40mail.gmail.com.
José Luis Ledesma
Good question
Try a
Telnet puppet-master 8140
From the "agent"
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/36667CDCAAF70140AE7738BB93CA8C9605915F%40ExMbx1.ul.campus.
michael...@ul.ie
From master to agent I get "connection refused"
To unsubscribe from this group and all its topics, send an email to puppet-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAF_B3dfFw3YBzoQtqSinPQJcy1MoSufeGkqtPCPrz%3De5xEeM1A%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.
José Luis Ledesma
So it means there is a firewall dropping the connection somewhere
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/bcd0251f-2962-4d07-9a1e-e3f9f23dcf70%40googlegroups.com.