Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-7054

PUPPETDB : Two puppet runs required to correctly set PostgresQL user password

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: postgresql
    • Labels:
      None
    • Template:
      MODULES Bug Template
    • Team:
      Modules
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment

      Description

      When declaring classes (as follows), puppet agent requires two runs to properly set the password for the puppetdb postgresql user. I would expect normally that the password is set properly after only one run.

      From the first puppet run, the output (clipped) is the following:

      ...
      pm_stretch: Notice: /Stage[main]/Puppetdb::Database::Postgresql/Postgresql::Server::Db[puppetdb]/Postgresql::Server::Role[puppetdb]/Postgresql_psql[CREATE ROLE puppetdb ENCRYPTED PASSWORD ****]/command: command changed 'notrun' to 'CREATE ROLE "puppetdb" ENCRYPTED PASSWORD '$NEWPGPASSWD' LOGIN NOCREATEROLE NOCREATEDB NOSUPERUSER CONNECTION LIMIT -1'
      pm_stretch: Notice: /Stage[main]/Puppetdb::Database::Postgresql/Postgresql::Server::Db[puppetdb]/Postgresql::Server::Database[puppetdb]/Postgresql_psql[CREATE DATABASE "puppetdb"]/command: command changed 'notrun' to 'CREATE DATABASE "puppetdb" WITH TEMPLATE = "template0" '
      pm_stretch: Info: /Stage[main]/Puppetdb::Database::Postgresql/Postgresql::Server::Db[puppetdb]/Postgresql::Server::Database[puppetdb]/Postgresql_psql[CREATE DATABASE "puppetdb"]: Scheduling refresh of Postgresql_psql[REVOKE CONNECT ON DATABASE "puppetdb" FROM public]
      pm_stretch: Notice: /Stage[main]/Puppetdb::Database::Postgresql/Postgresql::Server::Db[puppetdb]/Postgresql::Server::Database[puppetdb]/Postgresql_psql[REVOKE CONNECT ON DATABASE "puppetdb" FROM public]: Triggered 'refresh' from 1 events
      pm_stretch: Notice: /Stage[main]/Puppetdb::Database::Postgresql/Postgresql::Server::Db[puppetdb]/Postgresql::Server::Database_grant[GRANT puppetdb - all - puppetdb]/Postgresql::Server::Grant[database:GRANT puppetdb - all - puppetdb]/Postgresql_psql[grant:database:GRANT puppetdb - all - puppetdb]/command: command changed 'notrun' to 'GRANT ALL ON DATABASE "puppetdb" TO "puppetdb"'
      pm_stretch: Notice: /Stage[main]/Puppetdb::Database::Postgresql/Postgresql::Server::Extension[pg_trgm]/Postgresql_psql[puppetdb: CREATE EXTENSION "pg_trgm"]/command: command changed 'notrun' to 'CREATE EXTENSION "pg_trgm"'
      ...
      

      When I attempt to connect to postgresql after the first run manually, connection is refused as follows:

      $ psql -U puppetdb -h localhost puppetdb
      Password for user puppetdb: 
      psql: FATAL:  password authentication failed for user "puppetdb"
      FATAL:  password authentication failed for user "puppetdb"
      

      The output of /var/log/puppetdb/puppetdb.log suggests it is unable to connect as well:

      ...
      2018-04-25 16:43:13,010 ERROR [p.p.c.services] Error while attempting to create connection pool
      java.sql.SQLTransientConnectionException: PDBMigrationsPool - Connection is not available, request timed out after 15000ms.
              at com.zaxxer.hikari.pool.HikariPool.createTimeoutException(HikariPool.java:601)
              at com.zaxxer.hikari.pool.HikariPool.getConnection(HikariPool.java:194)
              at com.zaxxer.hikari.pool.HikariPool.getConnection(HikariPool.java:144)
              at com.zaxxer.hikari.HikariDataSource.getConnection(HikariDataSource.java:85)
              at clojure.java.jdbc$get_connection.invokeStatic(jdbc.clj:306)
              at clojure.java.jdbc$get_connection.invoke(jdbc.clj:225)
              at puppetlabs.puppetdb.cli.services$initialize_schema.invokeStatic(services.clj:290)
              at puppetlabs.puppetdb.cli.services$initialize_schema.invoke(services.clj:284)
              at puppetlabs.puppetdb.cli.services$init_with_db$fn__44122.invoke(services.clj:321)
              at puppetlabs.puppetdb.cli.services$init_with_db.invokeStatic(services.clj:317)
              at puppetlabs.puppetdb.cli.services$init_with_db.invoke(services.clj:301)
              at puppetlabs.puppetdb.cli.services$start_puppetdb.invokeStatic(services.clj:350)
              at puppetlabs.puppetdb.cli.services$start_puppetdb.invoke(services.clj:328)
      ...
      

       

      And then on the second puppet, the following output is produced:

      Notice: /Stage[main]/Puppetdb::Database::Postgresql/Postgresql::Server::Db[puppetdb]/Postgresql::Server::Role[puppetdb]/Postgresql_psql[ALTER ROLE puppetdb ENCRYPTED PASSWORD ****]/command: command changed 'notrun' to 'ALTER ROLE "puppetdb" ENCRYPTED PASSWORD '$NEWPGPASSWD''
      

      Puppetfile.lock:

      FORGE
      remote: https://forgeapi.puppetlabs.com
      specs:
      puppet-alternatives (1.1.0)
      puppetlabs-apt (4.5.1)
      puppetlabs-stdlib (< 5.0.0, >= 4.16.0)
      puppetlabs-concat (4.2.1)
      puppetlabs-stdlib (< 5.0.0, >= 4.13.1)
      puppetlabs-firewall (1.12.0)
      puppetlabs-stdlib (< 5.0.0, >= 4.0.0)
      puppetlabs-inifile (2.2.1)
      puppetlabs-postgresql (5.4.0)
      puppetlabs-apt (< 5.0.0, >= 2.0.0)
      puppetlabs-concat (< 5.0.0, >= 1.1.0)
      puppetlabs-stdlib (< 5.0.0, >= 4.13.1)
      puppetlabs-puppetdb (6.0.2)
      puppetlabs-firewall (< 2.0.0, >= 1.1.3)
      puppetlabs-inifile (< 3.0.0, >= 1.1.3)
      puppetlabs-postgresql (< 6.0.0, >= 4.0.0)
      puppetlabs-stdlib (< 5.0.0, >= 4.2.2)
      puppetlabs-stdlib (4.25.1)
       
      DEPENDENCIES
      puppet-alternatives (= 1.1.0)
      puppetlabs-puppetdb (= 6.0.2)
      

      Puppet / os versions:

      $ lsb_release -a
      No LSB modules are available.
      Distributor ID: Debian
      Description: Debian GNU/Linux 9.4 (stretch)
      Release: 9.4
      Codename: stretch
       
      $ apt policy puppetdb
      puppetdb:
      Installed: 4.4.1-1
      Candidate: 4.4.1-1
      Version table:
      *** 4.4.1-1 900
      300 http://deb.debian.org/debian unstable/main amd64 Packages
      100 /var/lib/dpkg/status
       
      $ apt policy puppet
      puppet:
      Installed: 4.8.2-5
      Candidate: 4.8.2-5
      Version table:
      5.4.0-2 400
      400 http://deb.debian.org/debian buster/main amd64 Packages
      300 http://deb.debian.org/debian unstable/main amd64 Packages
      *** 4.8.2-5 500
      500 http://ftp.us.debian.org/debian stretch/main amd64 Packages
      100 /var/lib/dpkg/status
      

        class { 'puppetdb::database::postgresql':
          database_name       => 'puppetdb',
          database_username   => 'puppetdb',
          database_password   => 'puppetdb',                                                                                                                                                             
          manage_server       => true,
          manage_package_repo => false,
          postgres_version    => '9.6',
        }
        class { 'puppetdb::server':
          manage_firewall    => false,
          database           => 'postgres',
          database_username  => 'puppetdb',
          database_password  => 'puppetdb',                                                                                                                                                          
          confdir            => '/etc/puppetdb/conf.d',
          vardir             => '/var/lib/puppetdb',
          ssl_dir            => '/etc/puppetdb/ssl',
          ssl_listen_address => 'localhost',
          ssl_set_cert_paths => true,
          ssl_cert_path      => '/etc/puppetdb/ssl/public.pem',
          ssl_key_path       => '/etc/puppetdb/ssl/private.pem',
          ssl_ca_cert_path   => '/etc/puppetdb/ssl/ca.pem',                                                                                                                            
          ssl_deploy_certs   => false,
        }
      

       

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            kienan Kienan
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:

                Zendesk Support