puppetboard unable to reach puppetb

756 views
Skip to first unread message

Tim Dunphy

unread,
Oct 8, 2014, 1:03:55 PM10/8/14
to puppet...@googlegroups.com

Hey all,

 I was able to setup puppetdb on my puppetmaster. I'm very happy I was able to get that done. 

And now that that's working I was hoping to get the puppetboard running. 

But here's where I'm at so far:


I plan to put SSL and some basic auth on there once I get it working!

Here's what I'm seeing in the apache error logs: 

[root@puppet:/etc/httpd/conf.d] #tail -f /var/log/httpd/puppetboard_error_log
[Wed Oct 08 12:51:50 2014] [crit] [client 173.213.212.233] configuration error:  couldn't perform authentication. AuthType not set!: /static/js/lists.js, referer: http://puppetboard.jokefire.com/
[Wed Oct 08 12:52:21 2014] [crit] [client 173.213.212.233] configuration error:  couldn't perform authentication. AuthType not set!: /static/css/puppetboard.css, referer: http://puppetboard.jokefire.com/
[Wed Oct 08 12:52:21 2014] [crit] [client 173.213.212.233] configuration error:  couldn't perform authentication. AuthType not set!: /static/js/moment.js, referer: http://puppetboard.jokefire.com/
[Wed Oct 08 12:52:21 2014] [crit] [client 173.213.212.233] configuration error:  couldn't perform authentication. AuthType not set!: /static/js/timestamps.js, referer: http://puppetboard.jokefire.com/
[Wed Oct 08 12:52:21 2014] [crit] [client 173.213.212.233] configuration error:  couldn't perform authentication. AuthType not set!: /static/js/tables.js, referer: http://puppetboard.jokefire.com/
[Wed Oct 08 12:52:21 2014] [crit] [client 173.213.212.233] configuration error:  couldn't perform authentication. AuthType not set!: /static/js/lists.js, referer: http://puppetboard.jokefire.com/
[Wed Oct 08 12:52:22 2014] [crit] [client 173.213.212.233] configuration error:  couldn't perform authentication. AuthType not set!: /static/js/moment.js, referer: http://puppetboard.jokefire.com/
[Wed Oct 08 12:52:22 2014] [crit] [client 173.213.212.233] configuration error:  couldn't perform authentication. AuthType not set!: /static/js/timestamps.js, referer: http://puppetboard.jokefire.com/
[Wed Oct 08 12:52:22 2014] [crit] [client 173.213.212.233] configuration error:  couldn't perform authentication. AuthType not set!: /static/js/tables.js, referer: http://puppetboard.jokefire.com/
[Wed Oct 08 12:52:22 2014] [crit] [client 173.213.212.233] configuration error:  couldn't perform authentication. AuthType not set!: /static/js/lists.js, referer: http://puppetboard.jokefire.com/

And here's what I'm getting in my apache access logs:

[root@puppet:/etc/httpd/conf.d] #tail -f /var/log/httpd/puppetboard_access_log
173.213.212.233 - - [08/Oct/2014:12:52:21 -0400] "GET / HTTP/1.1" 500 1034 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0"
173.213.212.233 - - [08/Oct/2014:12:52:21 -0400] "GET /static/css/puppetboard.css HTTP/1.1" 500 405 "http://puppetboard.jokefire.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0"
173.213.212.233 - - [08/Oct/2014:12:52:21 -0400] "GET /static/js/moment.js HTTP/1.1" 500 405 "http://puppetboard.jokefire.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0"
173.213.212.233 - - [08/Oct/2014:12:52:21 -0400] "GET /static/js/timestamps.js HTTP/1.1" 500 405 "http://puppetboard.jokefire.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0"
173.213.212.233 - - [08/Oct/2014:12:52:21 -0400] "GET /static/js/tables.js HTTP/1.1" 500 405 "http://puppetboard.jokefire.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0"
173.213.212.233 - - [08/Oct/2014:12:52:21 -0400] "GET /static/js/lists.js HTTP/1.1" 500 405 "http://puppetboard.jokefire.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0"
173.213.212.233 - - [08/Oct/2014:12:52:22 -0400] "GET /static/js/moment.js HTTP/1.1" 500 405 "http://puppetboard.jokefire.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0"
173.213.212.233 - - [08/Oct/2014:12:52:22 -0400] "GET /static/js/timestamps.js HTTP/1.1" 500 405 "http://puppetboard.jokefire.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0"
173.213.212.233 - - [08/Oct/2014:12:52:22 -0400] "GET /static/js/tables.js HTTP/1.1" 500 405 "http://puppetboard.jokefire.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0"
173.213.212.233 - - [08/Oct/2014:12:52:22 -0400] "GET /static/js/lists.js HTTP/1.1" 500 405 "http://puppetboard.jokefire.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0"


Here's my apache vhost setup:

<VirtualHost *:80>
    ServerName puppetboard.jokefire.com
    WSGIDaemonProcess puppetboard user=apache group=apache threads=5
    WSGIScriptAlias / /var/www/puppetboard/wsgi.py
    ErrorLog /var/log/httpd/puppetboard_error_log
    CustomLog /var/log/httpd/puppetboard_access_log combined

    Alias /static /usr/lib/python2.6/site-packages/puppetboard/static

    <Directory /usr/lib/python2.6/site-packages/puppetboard/static>
        WSGIProcessGroup puppetboard
        WSGIApplicationGroup %{GLOBAL}
        Require all granted
    </Directory>
</VirtualHost>


And here are the permissions on those files and directories:

[root@puppet:/etc/httpd/conf.d] #ls -l /var/www/puppetboard/wsgi.py
-rw-r--r--. 1 apache apache 207 Oct  8 12:10 /var/www/puppetboard/wsgi.py

[root@puppet:/etc/httpd/conf.d] #ls -ld /var/www/puppetboard
drwxr-xr-x. 2 apache apache 4096 Oct  8 12:52 /var/www/puppetboard

[root@puppet:/etc/httpd/conf.d] #ls -ld /usr/lib/python2.6/site-packages/puppetboard/static
drwxr-xr-x. 4 root root 4096 Oct  8 12:47 /usr/lib/python2.6/site-packages/puppetboard/static

And as you can see from the puppetdb logs it's chugging along fine:

[root@puppet:/etc/httpd/conf.d] #tail -f /var/log/puppetdb/puppetdb.log

2014-10-08 13:01:46,745 INFO  [c.p.p.command] [da1bf5dc-cd15-4655-bd6b-ce593cf3b82c] [replace facts] monitor.mydomain.com

2014-10-08 13:01:48,390 INFO  [c.p.p.command] [14591b81-3143-4e0c-bab4-9c9704b4154c] [replace catalog] monitor.mydomain.com

2014-10-08 13:01:53,843 INFO  [c.p.p.command] [cc21cae0-604d-4e82-9e5a-20f0e82119d6] [replace facts] ldap02.mydomain.com

2014-10-08 13:01:55,561 INFO  [c.p.p.command] [66d3fb54-7fce-4bee-b476-e5394604cbb5] [replace catalog] ldap02.mydomain.com

2014-10-08 13:02:05,926 INFO  [c.p.p.command] [c83c0c2e-a059-45a6-9387-8e8e376eff11] [replace facts] monitor.mydomain.com

2014-10-08 13:02:07,701 INFO  [c.p.p.command] [75cbb0bd-c1c8-4568-b76e-ec30b919ffc2] [replace catalog] monitor.mydomain.com

2014-10-08 13:02:15,191 INFO  [c.p.p.command] [445fc847-3cac-422f-9db1-60564ec94e02] [replace facts] ldap02.mydomain.com

2014-10-08 13:02:16,712 INFO  [c.p.p.command] [36727000-0d46-4144-a3b9-365cea6b42e3] [replace catalog] ldap02.mydomain.com

2014-10-08 13:02:24,614 INFO  [c.p.p.command] [b97e1cf7-5b83-474c-b3bd-faafded3501c] [replace facts] monitor.mydomain.com

2014-10-08 13:02:26,857 INFO  [c.p.p.command] [35d1a4f5-b4a8-4dab-99db-2a9a1c2648a0] [replace catalog] monitor.mydomain.com

2014-10-08 13:02:36,968 INFO  [c.p.p.command] [0efa1d3e-7252-4336-9e39-98bd8fbeccd5] [replace facts] ldap02.mydomain.com

2014-10-08 13:02:38,235 INFO  [c.p.p.command] [bf6a874f-bc2c-4a7a-b5ad-8044dceae9ce] [replace catalog] ldap02.mydomain.com


I'd appreciate any advice you may have!


Thanks

Tim





--
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

Daniele Sluijters

unread,
Oct 9, 2014, 12:03:16 PM10/9/14
to puppet...@googlegroups.com
Hi,

This doesn't look like a configuration error with regard to Puppetboard but one with regard to Apache. These lines:  configuration error:  couldn't perform authentication. AuthType not set!: /static/js/lists.js, referer: http://puppetboard.jokefire.com/ aren't generated by Puppetboard, it has no concept of authentication and AuthType is an Apache thing.

My bet is the "Require all granted" line. From what I can gleam from http://httpd.apache.org/docs/current/mod/mod_authz_core.html#require it would require a few more settings, AuthType, AuthName, AuthBasicProvider, AuthUserFile and AuthGroupFile.

Until you have authentication set up, replace that Require line with:
        
        Order deny,allow
        Allow from all

Let me know if this works for you,

-- 
Daniele Sluijters

Daniele Sluijters

unread,
Oct 9, 2014, 12:10:27 PM10/9/14
to puppet...@googlegroups.com
Hi,

I missed the part where this actually still works but then throws the PuppetDB connection issues.

* How did you install Puppetboard, with this module: https://forge.puppetlabs.com/nibalizer/puppetboard?
* Are Puppetboard and PuppetDB running on the same machine?
* Can you show me your settings.py as documented here: https://github.com/nedap/puppetboard#settings

-- 
Daniele Sluijters

Tim Dunphy

unread,
Oct 9, 2014, 12:24:08 PM10/9/14
to puppet...@googlegroups.com
Hi Daniel,

 Thanks for getting back to me. 

Ok so I changed my apache config to this:

<VirtualHost *:80>
    ServerName puppetboard.jokefire.com
    WSGIDaemonProcess puppetboard user=apache group=apache threads=5
    WSGIScriptAlias / /var/www/puppetboard/wsgi.py
    ErrorLog /var/log/httpd/puppetboard_error_log
    CustomLog /var/log/httpd/puppetboard_access_log combined

    Alias /static /usr/lib/python2.6/site-packages/puppetboard/static

    <Directory /usr/lib/python2.6/site-packages/puppetboard/static>
        WSGIProcessGroup puppetboard
        WSGIApplicationGroup %{GLOBAL}
        Order deny,allow
        Allow from all
    </Directory>
</VirtualHost>


I also changed the directory and contents to be readable by apache:

[root@puppet:/etc/httpd/conf.d] #ls -ld /usr/lib/python2.6/site-packages/puppetboard/static/
drwxr-xr-x. 4 apache apache 4096 Oct  8 12:47 /usr/lib/python2.6/site-packages/puppetboard/static/

I still get the error:



I missed the part where this actually still works but then throws the PuppetDB connection issues.
* How did you install Puppetboard, with this module: https://forge.puppetlabs.com/nibalizer/puppetboard?

 I did it via python pip install. I tried using the puppet module initially. But it threw a bunch of dependency errors on my system. So rather than try to wrestle with those I decided to to try a pip install which went ok.
 
* Are Puppetboard and PuppetDB running on the same machine?

Yes! They are.
 
* Can you show me your settings.py as documented here: https://github.com/nedap/puppetboard#settings


Sure! Here you go.

[root@puppet:~] #cat /var/www/puppetboard/settings.py
PUPPETDB_HOST = 'puppet.jokefire.com'
PUPPETDB_PORT = 8081
PUPPETDB_KEY  = '/etc/puppetdb/ssl/private.pem'
PUPPETDB_CERT = '/etc/puppetdb/ssl/public.pem'
PUPPETDB_SSL_VERIFY = True
PUPPETDB_KEY = None
PUPPETDB_CERT = None
PUPPETDB_TIMEOUT = 60
DEV_LISTEN_HOST = '127.0.0.1'
DEV_LISTEN_PORT = 5000
UNRESPONSIVE_HOURS = 2
ENABLE_QUERY = True
LOGLEVEL = 'debug'

I also tried the PUPPET_HOST with the IP of the machine, and with 0.0.0.0. None of that seemed to make any difference!

Thanks again for getting back to me on this.

Tim



 

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
 To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/09357b9c-d898-4a55-b0b8-c82254d52c9a%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Daniele Sluijters

unread,
Oct 9, 2014, 2:36:02 PM10/9/14
to puppet...@googlegroups.com
Hey,

I think I know what's going on here. You've, dutifully, told Puppetboard that it needs to validate the server certificate that PuppetDB is presenting you with (PUPPETDB_SSL_VERIFY) when you setup a connection. However, I'm betting your OS trust-store does not include a copy of the Puppet Master CA, the one that handed out PuppetDB's server certificate.

What you need to do is change PUPPETDB_SSL_VERIFY from True to /var/lib/puppet/ssl/ca/ca.pem (I think that's the path). What also is slightly weird is that you have defined PUPPETDB_KEY and PUPPETDB_CERT twice, the latter having it set to None which I'm guessing is what Puppetboard ends up picking.

However, since your PuppetDB and Puppetboard are hosted on the same machine you can forgo the whole SSL debacle and use a local, plain connection instead. Since this traffic will never leave the host people would need to be logged in to your master to intercept it. Your settings.py then looks like this:

PUPPETDB_HOST = 'localhost'
PUPPETDB_PORT = 8080
PUPPETDB_TIMEOUT = 60

Once that works for you don't forget to change the LOGLEVEL back to 'info'.

-- 
Daniele Sluijters

Tim Dunphy

unread,
Oct 9, 2014, 3:29:17 PM10/9/14
to puppet...@googlegroups.com
Hey Daniele,

 Thanks for your feedback! And especially your suggestion to forego SSL since I'm running puppetb and puppetboard on the same host. 

Anyway, here's my jetty.ini file from puppetdb:

[root@puppet:/etc/puppetdb/conf.d] #cat jetty.ini | grep -v '#'
[jetty]

port = 8082



ssl-host = 216.120.250.140

ssl-port = 8081

ssl-key = /etc/puppetdb/ssl/private.pem

ssl-cert = /etc/puppetdb/ssl/public.pem

ssl-ca-cert = /etc/puppetdb/ssl/ca.pem

And I set my settings.py to what you suggested:

[root@puppet:/etc/puppetdb/conf.d] #cat /var/www/puppetboard/settings.py
PUPPETDB_HOST = 'localhost'
PUPPETDB_PORT = 8082
PUPPETDB_TIMEOUT = 60

And look at that!!!


The puppetboard started filling in with data. However, all my nodes are showing up as 'unreported'. 

Which is odd because I am also running foreman on the same machine. And if I look there, foreman is claiming that all my nodes have reported in. 

Could I now be having an issue with the puppetdb itself?

if so I don't see anything telling in the puppetdb logs:

[root@puppet:/etc/puppetdb/conf.d] #tail -f /var/log/puppetdb/puppetdb.log
2014-10-09 15:27:29,822 INFO  [c.p.p.command] [833e757a-929b-4e7d-9f4b-82728e0e1659] [replace catalog] ldap02.jokefire.com
2014-10-09 15:27:31,362 INFO  [c.p.p.command] [4b4c50ab-8437-4f8f-917a-138e6c97d464] [replace catalog] mail.jokefire.com
2014-10-09 15:27:46,117 INFO  [c.p.p.command] [20bf87fc-2a1b-4a30-8877-0273439b8620] [replace facts] monitor.jokefire.com
2014-10-09 15:27:48,468 INFO  [c.p.p.command] [6714cdd3-64a1-49e7-b69c-575680e7fe9d] [replace catalog] monitor.jokefire.com
2014-10-09 15:27:53,481 INFO  [c.p.p.command] [0d3b94a2-2013-479c-bf7a-d3dc6d04bdae] [replace facts] ldap02.jokefire.com
2014-10-09 15:27:55,420 INFO  [c.p.p.command] [a5d7e16c-ef1f-469b-9a57-a1bb5fa7f884] [replace catalog] ldap02.jokefire.com
2014-10-09 15:28:05,156 INFO  [c.p.p.command] [4c677d3a-7b74-48ca-9c02-51884b8aa7cb] [replace facts] monitor.jokefire.com
2014-10-09 15:28:07,418 INFO  [c.p.p.command] [80aa84a3-bbfe-4900-85ae-7727b5a6fb4f] [replace catalog] monitor.jokefire.com
2014-10-09 15:28:15,070 INFO  [c.p.p.command] [58fc68ac-3535-4dbf-bad1-574de9ed7247] [replace facts] ldap02.jokefire.com
2014-10-09 15:28:16,462 INFO  [c.p.p.command] [20695d20-19da-42b3-a5cb-ed933dda3cb3] [replace catalog] ldap02.jokefire.com


Thanks for your help! Looks as if we are making some progress here!
Tim




To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/9af260d1-be30-41fc-a672-9300b45e62fe%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Spencer Krum

unread,
Oct 9, 2014, 3:38:41 PM10/9/14
to puppet...@googlegroups.com
Are you pushing reports into puppetdb or only into foreman?

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOZy0emsep1fCpvjX58vhBytJooNopVv%3D2ivz8emOzO4mAqHsg%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.



--
Spencer Krum
(619)-980-7820

Tim Dunphy

unread,
Oct 9, 2014, 3:57:55 PM10/9/14
to puppet...@googlegroups.com
Hey Spencer,

 
Are you pushing reports into puppetdb or only into foreman? 


Ok so I missed that. Sorry dude. And yeah as you point out I originally had reports only going to foreman. But I changed the puppet.conf to this:

[root@puppet:/etc/puppet] #egrep -i "reports|storeconfigs" puppet.conf
    reports        = foreman puppetdb
    storeconfigs = true
    storeconfigs_backend = puppetdb 


I wasn't sure if this was supposed to be comma dlimeted or space. I tried using a space between the two. 

And so far no change. 



thanks

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CADt6FWMMHSCVsVBsR2CLE4Kb9ZDdfCBWOjHyAW6x%2BuWsyyVcMw%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

Ken Barber

unread,
Oct 9, 2014, 6:53:22 PM10/9/14
to Puppet Users
>> Are you pushing reports into puppetdb or only into foreman?
>
>
>
> Ok so I missed that. Sorry dude. And yeah as you point out I originally had
> reports only going to foreman. But I changed the puppet.conf to this:
>
> [root@puppet:/etc/puppet] #egrep -i "reports|storeconfigs" puppet.conf
> reports = foreman puppetdb
> storeconfigs = true
> storeconfigs_backend = puppetdb
>
>
> I wasn't sure if this was supposed to be comma dlimeted or space. I tried
> using a space between the two.
>
> And so far no change.
>
> http://puppetboard.jokefire.com/

Its a comma, if you are unclear. Try it again and restart your puppet
master. Then check your PuppetDB logs (/var/log/puppetdb/puppetdb.log)
you should see logged commands for the 'store report' command be
submitted on a node after you do an agent run, if not - check your
puppet master logs to see if its logging any errors with sending the
reports. The puppet master usually logs to syslog FYI. Basically these
'store report' commands should be submitted in order from one host
like so:

* replace facts
* replace catalog
* store report

If none of that helps, we can explore turning on debug mode for Puppet
to see what's being logged.

ken.

Tim Dunphy

unread,
Oct 9, 2014, 11:14:45 PM10/9/14
to puppet...@googlegroups.com
Hi Ken,
 
Its a comma, if you are unclear.

Yep! I was able to get that by trying it out. But thanks for the feedback! Always extremely welcomed!

[root@puppet:~] #cd /etc/puppet
[root@puppet:/etc/puppet] #grep reports puppet.conf
    reports        = foreman, puppetdb

Try it again and restart your puppet
master. Then check your PuppetDB logs (/var/log/puppetdb/puppetdb.log)
you should see logged commands for the 'store report' command be
submitted on a node after you do an agent run 

Seems to be working fine! I can see reports turning up both in foreman and in puppetboard now. BTW, I'm really liking both the foreman and the puppeboard. I'm glad I put in the effort to get both it and the puppetdb working. I'm going to pitch the puppetdb to my coworkers who so far only use the community version of puppet with no web interface. Masochists, clearly! 

Thanks again!
Tim 


 
Try it again and restart your puppet
master. Then check your PuppetDB logs (/var/log/puppetdb/puppetdb.log)
you should see logged commands for the 'store report' command be
submitted on a node after you do an agent run
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAE4bNT%3DsYszRgMm_eBWqvkDH8UsZnEB06knoQZT4r_pjWx2X2w%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages