Port 8139 needs to be open between machine running puppetrun and a client puppetd machine, correct?

[Don Jackson]

Hello,

I am attempting to get my machines configured properly so I can use puppetrun on my puppetmaster to get clients to update themselves during my development/testing of new recipes.

I understand about listen = true in the puppetd.conf file, and I also have learned about the namespaceauth.conf file,
where I put stuff like:

[puppetrunner]
allow puppet.mydomain.com

This was all I needed to get machines on the same LAN as my puppetmaster to work, but it didn't work across firewalls to machines in a colo.

From router/firewall logs, it appears that the puppetmaster needs to connect to port 8139 of the machine running puppetd.

I wasn't able to find this clearly documented, hence this email.

Regards,

Don

[Dan Bode]

On Sun, Jan 31, 2010 at 12:11 PM, Don Jackson <puppet...@clark-communications.com> wrote:

Hello,

I am attempting to get my machines configured properly so I can use puppetrun on my puppetmaster to get clients to update themselves during my development/testing of new recipes.

I understand about listen = true in the puppetd.conf file, and I also have learned about the namespaceauth.conf file,
where I put stuff like:

       [puppetrunner]
           allow puppet.mydomain.com

This was all I needed to get machines on the same LAN as my puppetmaster to work, but it didn't work across firewalls to machines in a colo.

From router/firewall logs, it appears that the puppetmaster needs to connect to port 8139 of the machine running puppetd.

that is correct, when using puppetrun, the authorized host needs to initiate a connection with the client on port 8139, then that host will initiate a request with its puppetmaster on 8140.

You can change the puppetd listen port with the puppetport option.

-Dan
 

I wasn't able to find this clearly documented, hence this email.

Regards,

Don

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

[grg350]

Don, looks like you are able to run puppetrun to configure clients.
Its not working for me.
My config files goes:

On Client:
cat puppet.conf
[main]
server=puppetmaster.mydomain.com
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
pluginsync=true

[puppetd]
listen=true

cat namespaceauth.conf
[puppetrunner]
allow puppetmaster.mydomain.com

On puppetmaster:
cat namespaceauth.com
[fileserver]
allow *.mydomain.com
[puppetmaster]
allow *.mydomain.com
[puppetrunner]
allow *.mydomain.com

I ran puppetrun with
#puppetrun --host client.mydomain.com

But it doesn't looks like the client get updated and exits with
"Failed to load ruby LDAP library. LDAP functionality will not be
available
Finished"

Also, I dont see any traffic on port 8139 and 8140 while running
tcpdump.Those two machines are on same LAN and no firewall between
them. Not sure what I have been missing. any help would be
appreciated.

Thanks,
grg350

> > puppet-users...@googlegroups.com<puppet-users%2Bunsubscribe@google groups.com>

[Iain Sutton]

Hi,

We are able to successfully invoke puppetrun from the puppetmaster. The two main differences between our configuration and what is posted below are:

a) the line 'server=puppet.mydomain.com' is in the [puppetd] section on the client, not in the [main] section
b) we don't have a namespaceauth.conf on the puppetmaster at all, since when we had this in place, all clients would receive a '500 Internal Server Error' when they checked in. I haven't revisited this recently.

We're running puppet 0.24.8 on CentOS/RHEL on client and server.

Hope this helps,

Iain

To unsubscribe from this group, send email to puppet-users...@googlegroups.com.

[Raj Gurung]

Modified the puppet.conf but no joy still.

# puppetrun -d --host client.mydomain.com

debug: Parsing /etc/puppet/puppet.conf

Finished

I dont see the changes pushed to client.mydomain.com box. I wonder if LDAP is required component for puppetrun?

Thanks,

grg350

--

"Nothing comes easy that is done well."  -Harry F. Banks

[Joe McDonagh]

Raj Gurung wrote:
> Modified the puppet.conf but no joy still.
>

> # puppetrun -d --host client.mydomain.com <http://client.mydomain.com>

> debug: Parsing /etc/puppet/puppet.conf
> Finished
>
> I dont see the changes pushed to client.mydomain.com

> <http://client.mydomain.com> box. I wonder if LDAP is required

> component for puppetrun?
>
> Thanks,
> grg350
>
> On Thu, Feb 11, 2010 at 12:44 PM, Iain Sutton <iains...@gmail.com
> <mailto:iains...@gmail.com>> wrote:
>
> Hi,
>
> We are able to successfully invoke puppetrun from the
> puppetmaster. The two main differences between our configuration
> and what is posted below are:
>
> a) the line 'server=puppet.mydomain.com

> <http://puppet.mydomain.com>' is in the [puppetd] section on the

> client, not in the [main] section
> b) we don't have a namespaceauth.conf on the puppetmaster at all,
> since when we had this in place, all clients would receive a '500
> Internal Server Error' when they checked in. I haven't revisited
> this recently.
>
> We're running puppet 0.24.8 on CentOS/RHEL on client and server.
>
> Hope this helps,
>
> Iain
>
>
> On 11 February 2010 13:49, grg350 <grg...@gmail.com

> <mailto:grg...@gmail.com>> wrote:
>
> Don, looks like you are able to run puppetrun to configure
> clients.
> Its not working for me.
> My config files goes:
>
> On Client:
> cat puppet.conf
> [main]
> server=puppetmaster.mydomain.com

> <http://puppetmaster.mydomain.com>

> logdir=/var/log/puppet
> vardir=/var/lib/puppet
> ssldir=/var/lib/puppet/ssl
> rundir=/var/run/puppet
> factpath=$vardir/lib/facter
> pluginsync=true
>
> [puppetd]
> listen=true
>
> cat namespaceauth.conf
> [puppetrunner]
> allow puppetmaster.mydomain.com

> <http://puppetmaster.mydomain.com>
>
> On puppetmaster:
> cat namespaceauth.com <http://namespaceauth.com>
> [fileserver]
> allow *.mydomain.com <http://mydomain.com>
> [puppetmaster]
> allow *.mydomain.com <http://mydomain.com>
> [puppetrunner]
> allow *.mydomain.com <http://mydomain.com>
>
> I ran puppetrun with
> #puppetrun --host client.mydomain.com <http://client.mydomain.com>

>
> But it doesn't looks like the client get updated and exits with
> "Failed to load ruby LDAP library. LDAP functionality will not be
> available
> Finished"
>
> Also, I dont see any traffic on port 8139 and 8140 while running
> tcpdump.Those two machines are on same LAN and no firewall between
> them. Not sure what I have been missing. any help would be
> appreciated.
>
> Thanks,
> grg350
>
> On Jan 31, 4:28 pm, Dan Bode <d...@reductivelabs.com

> <mailto:d...@reductivelabs.com>> wrote:
> > On Sun, Jan 31, 2010 at 12:11 PM, Don Jackson <
> >
> >
> >
> >
> >
> > puppet-us...@clark-communications.com

> <mailto:puppet-us...@clark-communications.com>> wrote:
> >
> > > Hello,
> >
> > > I am attempting to get my machines configured properly so
> I can use
> > > puppetrun on my puppetmaster to get clients to update
> themselves during my
> > > development/testing of new recipes.
> >
> > > I understand about listen = true in the puppetd.conf file,
> and I also have
> > > learned about the namespaceauth.conf file,
> > > where I put stuff like:
> >
> > > [puppetrunner]
> > > allow puppet.mydomain.com

> <http://puppet.mydomain.com>

> <mailto:puppet...@googlegroups.com>.

> > > To unsubscribe from this group, send email to
> > > puppet-users...@googlegroups.com

> <mailto:puppet-users%2Bunsu...@googlegroups.com><puppet-users%2Bunsubscribe@google
> groups.com <http://groups.com>>

> > > .
> > > For more options, visit this group at
> > >http://groups.google.com/group/puppet-users?hl=en.
>
> --
> You received this message because you are subscribed to the
> Google Groups "Puppet Users" group.
> To post to this group, send email to
> puppet...@googlegroups.com

> <mailto:puppet...@googlegroups.com>.

> To unsubscribe from this group, send email to
> puppet-users...@googlegroups.com

> <mailto:puppet-users%2Bunsu...@googlegroups.com>.

> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com

> <mailto:puppet...@googlegroups.com>.

> To unsubscribe from this group, send email to
> puppet-users...@googlegroups.com

> <mailto:puppet-users%2Bunsu...@googlegroups.com>.

> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
>
>
> --
>

> "Nothing comes easy that is done well." -Harry F. Banks
>
>

> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.

Does netstat -tnlp show puppetd listening on port 8139?

--
Joe McDonagh
AIM: YoosingYoonickz
IRC: joe-mac on freenode
L'ennui est contre-r�volutionnaire