Uploaded image for project: 'Puppet Enterprise'
  1. Puppet Enterprise
  2. ENTERPRISE-584

Non-standard auth.conf causes 3.7 upgrade to fail

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: PE 3.7.0, PE 3.7.1, PE 3.7.2
    • Fix Version/s: PE 3.8.0
    • Component/s: Upgrader
    • Labels:
    • Template:

      Description

      Issue

      If the environment is utilising a non-standard auth.conf file, such as in a multi master environment, the upgrader for PE3.3.2 -> PE3.7 will fail at one point, but it will finish the upgrade. The Classifier will be nonfunctional and no classification services will be available.

      Cause

      In a multi master environment the auth.conf file is modified so other masters can access the certificate endpoint. This modification of the auth.conf appears to prevent the upgrader from modifying this file and therefore prevent the Classifier from gaining access to the resource_type endpoint.

      The following error will occur during upgrade:

      Notice: Finished catalog run in 4.80 seconds
      Loaded plugins: fastestmirror
      Cleaning repos: puppet-enterprise-installer
      Cleaning up Everything
      Cleaning up list of fastest mirrors
      PuppetDB configured.
      Waiting for Node Classifier to start...
      !!! WARNING: The node classifier could not be reached; please check the logs in '/var/log/pe-console-services/' for more information.
      

      After upgrade the console-services.log will contain something like:

      2014-11-18 16:00:56,076 ERROR [p.c.class-updater] 403 response received for request for classes in development from "https://mom.puppetlabs.vm:8140/development/resource_types/*"
      2014-11-18 16:00:56,077 ERROR [p.c.class-updater] Received an unexpected 403 response when trying to synchronize classes from the Puppet Master's REST interface at https://mom.puppetlabs.vm:8140/development/resource_types/* The response is: "Forbidden request: pe-internal-classifier(192.168.56.101) access to /resource_type/* [search] authenticated  at :60"
      

      Pre-Upgrade Fix

      The user can modify the auth.conf to the following:

      path  /resource_type
      method find, search
      auth yes
      allow pe-internal-dashboard,pe-internal-classifier
      

      It is also recommended to remove any classification from the Console, Hiera or site.pp that relates to managing PE with custom or LEI modules. This will prevent issues on first Puppet run after upgrade.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              chuck Charlie Sharpsteen
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support