permission denied on files

[Tim Dunphy]

Hi all,

 I've setup a puppet module to install and keep the bacula backup system running on a number of systems.

Part of the formula I've come up with is to transfer an SSL cert/key pair to each host that uses the module. So that bacula can work over TLS.

 I have this defined in my bacula config manifest:

file { "/etc/pki/tls/private/${::hostname}.mydomain.com.key":
      notify  => Service["bacula-fd"],
      owner => "bacula",
      group => "bacula",
      mode => 0400,
      require => Package["bacula-client","bacula-common"],
      source => "puppet:///modules/bacula/${::hostname}/${::hostname}.mydomain.com.key",

     }

    file { "/etc/pki/tls/certs/${::hostname}.mydomain.com.crt":
      notify  => Service["bacula-fd"],
      owner => "bacula",
      group => "bacula",
      mode => 0400,
      require => Package["bacula-client","bacula-common"],
      source => "puppet:///modules/bacula/${::hostname}/${::hostname}.mydomain.com.crt",

     }

This has been working perfectly fine for a while now. But only on SOME hosts that were recently added I'm getting permission denied errors on the keypairs that I'm trying to send over.


Error: /Stage[main]/Bacula::Config/File[/etc/pki/tls/certs/monitor1.mydomain.com.crt]: Could not evaluate: Could not retrieve information from environment production source(s) puppet:///modules/bacula/monitor1/monitor1.mydomain.com.crt
Error: /Stage[main]/Bacula::Config/File[/etc/pki/tls/private/monitor1.mydomain.com.key]: Could not evaluate: Could not retrieve information from environment production source(s) puppet:///modules/bacula/monitor1/monitor1.mydomain.com.key

And this is the weird part! All of the directories that I'm transferring keys and certs from have identical ownership and permissions for both the working and the non working hosts!

This is a directory listing of certs and keys that does NOT work:

environments/production/modules/bacula/files/monitor1:
total 8.0K
-rw-r--r--. 1 puppet puppet 2.0K Jun 16 21:53 monitor1.jokefire.com.crt
-rw-r--r--. 1 puppet puppet 3.2K Jun 16 21:53 monitor1.jokefire.com.key

And this is a listing from a directory containing certs and keys that DOES work:

environments/production/modules/bacula/files/logs:
total 8.0K
-rw-r--r--. 1 puppet puppet 1.9K Apr 23 22:14 logs.jokefire.com.crt
-rw-r--r--. 1 puppet puppet 3.2K Apr 23 22:14 logs.jokefire.com.key

And these are permissions on the directories themselves:

drwxr-xr-x. 2 puppet puppet 62 Jun 16 22:13 environments/production/modules/bacula/files/logs
drwxr-xr-x. 2 puppet puppet 70 Jun 16 22:14 environments/production/modules/bacula/files/monitor1

Trouble is I can tell no difference between the working and non working directories.

If I run puppet  with the bacula module on the monitor1 host, I get the error. If I run puppet with the bacula module on the logs host, everything works fine!

I'm just wondering what I may be missing that could get rid of that error!

Thanks,

Tim

--

GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

[Martin Alfke]

Hi Tim,

the agent wants to fetch the file
> puppet:///modules/bacula/monitor1/monitor1.mydomain.com.crt

But on the Master you are shooing us a file with the name:

> environments/production/modules/bacula/files/monitor1:
> total 8.0K
> -rw-r--r--. 1 puppet puppet 2.0K Jun 16 21:53 monitor1.jokefire.com.crt
> -rw-r--r--. 1 puppet puppet 3.2K Jun 16 21:53 monitor1.jokefire.com.key

mydomain.com <-> jokefire.com

Is this copy-n-paste or does the filename and the source name not match?

Best,
Martin

> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOZy0ekwcGN%2B609_K0pS6-zm%2B5tEpCpqkx_LHHmrhCk0cb-MsQ%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.

[Tim Dunphy]

mydomain.com <-> jokefire.com
Is this copy-n-paste or does the filename and the source name not match?

Yah, this was a mistake on my part in trying to obscure the domain name. LOL

Sorry about that. But in fact mydomain.com == jokefire.com

Here's the actual definition:

file { "/etc/pki/tls/private/${::hostname}.jokefire.com.key":

      notify  => Service["bacula-fd"],

      owner => "bacula",

      group => "bacula",

      mode => 0400,

      require => Package["bacula-client","bacula-common"],

      source => "puppet:///modules/bacula/${::hostname}/${::hostname}.jokefire.com.key",

     }

    file { "/etc/pki/tls/certs/${::hostname}.jokefire.com.crt":

      notify  => Service["bacula-fd"],

      owner => "bacula",

      group => "bacula",

      mode => 0400,

      require => Package["bacula-client","bacula-common"],

      source => "puppet:///modules/bacula/${::hostname}/${::hostname}.jokefire.com.crt",

     }

And the files and directories with ownership/permissions shown:

[root@puppet:/etc/puppet] #ls -lh environments/production/modules/bacula/files/{logs,monitor1}

environments/production/modules/bacula/files/logs:

total 8.0K

-rw-r--r--. 1 puppet puppet 1.9K Apr 23 22:14 logs.jokefire.com.crt

-rw-r--r--. 1 puppet puppet 3.2K Apr 23 22:14 logs.jokefire.com.key

environments/production/modules/bacula/files/monitor1:

total 8.0K

-rw-r--r--. 1 puppet puppet 2.0K Jun 16 21:53 monitor1.jokefire.com.crt

-rw-r--r--. 1 puppet puppet 3.2K Jun 16 21:53 monitor1.jokefire.com.key 

[root@puppet:/etc/puppet] #ls -ld environments/production/modules/bacula/files/{logs,monitor1}

drwxr-xr-x. 2 puppet puppet 62 Jun 16 22:13 environments/production/modules/bacula/files/logs

drwxr-xr-x. 2 puppet puppet 70 Jun 16 22:14 environments/production/modules/bacula/files/monitor1

And this is the error I'm getting on the monitor1 host:

Error: /Stage[main]/Bacula::Config/File[/etc/pki/tls/certs/monitor1.jokefire.com.crt]: Could not evaluate: Could not retrieve information from environment production source(s) puppet:///modules/bacula/monitor1/monitor1.jokefire.com.crt

Error: /Stage[main]/Bacula::Config/File[/etc/pki/tls/private/monitor1.jokefire.com.key]: Could not evaluate: Could not retrieve information from environment production source(s) puppet:///modules/bacula/monitor1/monitor1.jokefire.com.key

But, paradoxically, the logs host (which is also shown above) works fine. Same formula in the config manifest, different directories but same permissions on the source files, yet only one fails! This just isn't making any sense to me. 

Puppet should be able to select the correct directory name to pull from for the monitor1 host based on the $hostname fact just as it does for the logs host.

Any thoughts?

Thanks,

Tim

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/487BF260-444D-4985-A118-FA20095A8CB2%40gmail.com.

For more options, visit https://groups.google.com/d/optout.

[Tim Dunphy]

I got a little closer to the answer on this. 

The error seems to be SELinux related. If I disable SELinux on the puppet master, the error goes away on the client.

I found this in my audit log on the puppet server:

type=AVC msg=audit(1434769414.956:562): avc:  denied  { open } for  pid=3558 comm="ruby" path="/etc/puppet/environments/production/modules/bacula/files/monitor1/monitor1.jokefire.com.crt" dev="vda1" ino=1842005 scontext=system_u:system_r:passenger_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file

I ran audit2allow and found this:

grep puppet /var/log/audit/audit.log | audit2allow

#============= passenger_t ==============

allow passenger_t nfs_t:file open;

But how do I turn this into an selinux command that allows this to work?

thanks!

Tim