Bug 29285

Summary: puppetmasterd is dead, but stale PID file exists
Product: Branch p7 Reporter: apb <vic_1980>
Component: puppet-serverAssignee: Andrey Cherepanov <cas>
Status: CLOSED NOTABUG QA Contact: qa-p7 <qa-p7>
Severity: normal    
Priority: P3 CC: vic_1980
Version: не указана   
Hardware: all   
OS: Linux   

Description apb 2013-08-15 16:10:26 MSK 
Бодрого времени суток!

При запуске puppetmasterd в syslog падает сообщение:

puppetmasterd: /usr/lib/ruby/rubygems/custom_require.rb:36:in `require': iconv will be deprecated in the future, use String#encode instead.
puppet-master[11596]: Reopening log files
puppet-master[11596]: Starting Puppet master version 2.7.21
puppetmasterd: puppetmasterd startup succeeded

В консоли:
service puppetmasterd status
puppetmasterd is dead, but stale PID file exists

Pid-файл

[root@linupd puppet]# ls -l
итого 4
-rw-r--r-- 1 _puppet puppet 5 авг 15 16:05 master.pid

rpm -qa |grep puppet
puppet-server-2.7.21-alt2
puppet-2.7.21-alt2
puppet-http_server-mongrel-2.7.21-alt2
Comment 1 Andrey Cherepanov 2013-08-30 13:34:22 MSK 
Что выдаёт 

puppetmasterd -d --no-daemonize
Comment 2 apb 2013-08-30 14:04:24 MSK 
(В ответ на комментарий №1)
> Что выдаёт 
> 
> puppetmasterd -d --no-daemonize

[root@linupd ~]# puppetmasterd -d --no-daemonize
/usr/lib/ruby/rubygems/custom_require.rb:36:in `require': iconv will be deprecated in the future, use String#encode instead.
debug: Failed to load library 'selinux' for feature 'selinux'
debug: Failed to load library 'shadow' for feature 'libshadow'
debug: Puppet::Type::User::ProviderLdap: true value when expecting false
debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does not exist
debug: Puppet::Type::User::ProviderPw: file pw does not exist
debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring File[/var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring File[/var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/ssl/certs/linupd.titan.zn.pem]: Autorequiring File[/var/lib/puppet/ssl/certs]
debug: /File[/var/lib/puppet/ssl/private_keys/linupd.titan.zn.pem]: Autorequiring File[/var/lib/puppet/ssl/private_keys]
debug: /File[/var/lib/puppet/ssl/public_keys/linupd.titan.zn.pem]: Autorequiring File[/var/lib/puppet/ssl/public_keys]
debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/var/lib/puppet/ssl/certs]
debug: /File[/var/lib/puppet/ssl/crl.pem]: Autorequiring File[/var/lib/puppet/ssl]
debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet]
debug: /File[/etc/puppet/manifests]: Autorequiring File[/etc/puppet]
debug: /File[/var/log/puppet/masterhttp.log]: Autorequiring File[/var/log/puppet]
debug: /File[/var/lib/puppet/bucket]: Autorequiring File[/var/lib/puppet]
debug: /File[/etc/puppet/auth.conf]: Autorequiring File[/etc/puppet]
debug: /File[/var/lib/puppet/yaml]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/server_data]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/reports]: Autorequiring File[/var/lib/puppet]
debug: /File[/etc/puppet/fileserver.conf]: Autorequiring File[/etc/puppet]
debug: /File[/var/lib/puppet/rrd]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet]
debug: Finishing transaction 5418720
debug: /File[/var/lib/puppet/ssl/ca/ca_crt.pem]: Autorequiring File[/var/lib/puppet/ssl/ca]
debug: /File[/var/lib/puppet/ssl/ca/ca_key.pem]: Autorequiring File[/var/lib/puppet/ssl/ca]
debug: /File[/var/lib/puppet/ssl/ca/ca_pub.pem]: Autorequiring File[/var/lib/puppet/ssl/ca]
debug: /File[/var/lib/puppet/ssl/ca/ca_crl.pem]: Autorequiring File[/var/lib/puppet/ssl/ca]
debug: /File[/var/lib/puppet/ssl/ca/private]: Autorequiring File[/var/lib/puppet/ssl/ca]
debug: /File[/var/lib/puppet/ssl/ca/requests]: Autorequiring File[/var/lib/puppet/ssl/ca]
debug: /File[/var/lib/puppet/ssl/ca/signed]: Autorequiring File[/var/lib/puppet/ssl/ca]
debug: /File[/var/lib/puppet/ssl/ca/private/ca.pass]: Autorequiring File[/var/lib/puppet/ssl/ca/private]
debug: /File[/var/lib/puppet/ssl/ca/serial]: Autorequiring File[/var/lib/puppet/ssl/ca]
debug: /File[/var/lib/puppet/ssl/ca/inventory.txt]: Autorequiring File[/var/lib/puppet/ssl/ca]
debug: Finishing transaction 12674540
debug: Using cached certificate for ca
debug: Using cached certificate for ca
debug: Using cached certificate for linupd.titan.zn
notice: Starting Puppet master version 2.7.21
Could not run: No mount specified for argument allow 10.0.0.0/16
Comment 3 Andrey Cherepanov 2013-08-30 14:42:47 MSK 
(В ответ на комментарий №2)
> Could not run: No mount specified for argument allow 10.0.0.0/16
"Что это, Бэрримор?!"
Откуда этот параметр взялся?

grep ^allow /etc/puppet/*

У меня в /etc/puppet/auth только кучка 
allow * 
allow $1
Comment 4 apb 2013-09-02 09:14:18 MSK 
(В ответ на комментарий №3)
> (В ответ на комментарий №2)
> > Could not run: No mount specified for argument allow 10.0.0.0/16
> "Что это, Бэрримор?!"
> Откуда этот параметр взялся?
> 
> grep ^allow /etc/puppet/*
> 
> У меня в /etc/puppet/auth только кучка 
> allow * 
> allow $1

Allow 10.0.0.0/16 - из fileserver.conf
cat fileserver.conf 
# This file consists of arbitrarily named sections/modules
# defining where files are served from and to whom

# Define a section 'files'
# Adapt the allow/deny settings to your needs. Order
# for allow/deny does not matter, allow always takes precedence
# over deny
# [files]
#  path /var/lib/puppet/files
#  allow *.example.com
#  deny *.evil.example.com
#  allow 192.168.0.0/24
allow 10.0.0.0/16


В auth.conf я вовсе ничего не добавлял

cat auth.conf
# This is an example auth.conf file, it mimics the puppetmasterd defaults
#
# The ACL are checked in order of appearance in this file.
#
# Supported syntax:
# This file supports two different syntax depending on how
# you want to express the ACL.
#
# Path syntax (the one used below):
# ---------------------------------
# path /path/to/resource
# [environment envlist]
# [method methodlist]
# [auth[enthicated] {yes|no|on|off|any}]
# allow [host|ip|*]
# deny [host|ip]
#
# The path is matched as a prefix. That is /file match at
# the same time /file_metadat and /file_content.
#
# Regex syntax:
# -------------
# This one is differenciated from the path one by a '~'
#
# path ~ regex
# [environment envlist]
# [method methodlist]
# [auth[enthicated] {yes|no|on|off|any}]
# allow [host|ip|*]
# deny [host|ip]
#
# The regex syntax is the same as ruby ones.
#
# Ex:
# path ~ .pp$
# will match every resource ending in .pp (manifests files for instance)
#
# path ~ ^/path/to/resource
# is essentially equivalent to path /path/to/resource
#
# environment:: restrict an ACL to a specific set of environments
# method:: restrict an ACL to a specific set of methods
# auth:: restrict an ACL to an authenticated or unauthenticated request
# the default when unspecified is to restrict the ACL to authenticated requests
# (ie exactly as if auth yes was present).
#

### Authenticated ACL - those applies only when the client
### has a valid certificate and is thus authenticated

# allow nodes to retrieve their own catalog (ie their configuration)
path ~ ^/catalog/([^/]+)$
method find
allow $1

# allow nodes to retrieve their own node definition
path ~ ^/node/([^/]+)$
method find
allow $1

# allow all nodes to access the certificates services
path /certificate_revocation_list/ca
method find
allow *

# allow all nodes to store their own reports
path ~ ^/report/([^/]+)$
method save
allow $1

# inconditionnally allow access to all files services
# which means in practice that fileserver.conf will
# still be used
path /file
allow *

### Unauthenticated ACL, for clients for which the current master doesn't
### have a valid certificate; we allow authenticated users, too, because
### there isn't a great harm in letting that request through.

# allow access to the master CA
path /certificate/ca
auth any
method find
allow *

path /certificate/
auth any
method find
allow *

path /certificate_request
auth any
method find, save
allow *

# this one is not stricly necessary, but it has the merit
# to show the default policy which is deny everything else
path /
auth any
Comment 5 Andrey Cherepanov 2013-09-03 14:30:26 MSK 
(В ответ на комментарий №4)
> # Define a section 'files'
> # Adapt the allow/deny settings to your needs. Order
> # for allow/deny does not matter, allow always takes precedence
> # over deny
> # [files]
> #  path /var/lib/puppet/files
> #  allow *.example.com
> #  deny *.evil.example.com
> #  allow 192.168.0.0/24
> allow 10.0.0.0/16
А section кто раскомментировать будет? Должно быть 

[files]
allow 10.0.0.0/16
Comment 6 apb 2013-09-05 13:06:40 MSK 
(В ответ на комментарий №5)
> (В ответ на комментарий №4)
> > # Define a section 'files'
> > # Adapt the allow/deny settings to your needs. Order
> > # for allow/deny does not matter, allow always takes precedence
> > # over deny
> > # [files]
> > #  path /var/lib/puppet/files
> > #  allow *.example.com
> > #  deny *.evil.example.com
> > #  allow 192.168.0.0/24
> > allow 10.0.0.0/16
> А section кто раскомментировать будет? Должно быть 
> 
> [files]
> allow 10.0.0.0/16

Да, Вы правы ...
Ещё неплохо было-бы path раскомментировать =(
Спасибо.
Предлагаю считать закрытым.
Извините
Comment 7 Andrey Cherepanov 2013-09-05 15:29:05 MSK 
Закрываю.