[PDB-137] Document use of PuppetDB with SELinux Created: 2013/12/04  Updated: 2015/02/12  Resolved: 2015/01/05

Status: Closed
Project: PuppetDB
Component/s: None
Affects Version/s: None
Fix Version/s: PDB 2.3.0

Type: Task Priority: Normal
Reporter: redmine.exporter Assignee: Rob Nelson
Resolution: Fixed Votes: 1
Labels: docs, redmine
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Story Points: 5
QA Contact: Kurt Wall

 Description   

From the mailing list:

<pre>
I've configured puppet to use storedconfigs and puppetDB,
If I start the puppet master using the init script puppetmaster I get a permission denied error when a node connects:

Master:
[root@puppet ~]# service puppetmaster start
Starting puppetmaster: [ OK ]

Node:
[root@puppet-slave ~]# puppet agent --test
err: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for puppet-slave.test.net to PuppetDB at puppet.test.net:8081: Permission denied - connect(2)
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run

If I start the puppet master using the script puppet command, it works fine:

Master:
[root@puppet ~]# puppet master start

Node:
[root@puppet-slave ~]# puppet agent --test
info: Caching catalog for puppet-slave.test.net
info: Applying configuration version '1340967639'
notice: /Stage[main]/Drupal/Exec[install-drupal]/returns: executed successfully
notice: Finished catalog run in 17.72 seconds

Anyone come across this behaviour before, or found a solution?

All packages are from RPM installs (except ruby gems for pupetdb....)

[root@puppet ~]# rpm -qa | grep puppet
puppet-server-2.7.17-1.el6.noarch
puppetlabs-release-6-1.noarch
puppet-2.7.17-1.el6.noarch
puppetdb-0.9.1-2.el6.noarch
puppetdb-terminus-0.9.1-2.el6.noarch
</pre>

I think that, at a minimum, we should document in the installation docs what ports and permissions need to be there for puppetdb to work in an selinux environment.



 Comments   
Comment by Rob Nelson [ 2014/12/24 ]

PR 1191 submitted
https://github.com/puppetlabs/puppetdb/pull/1191

Comment by Rob Nelson [ 2014/12/26 ]

PR 1191 closed, PR 1192 opened
https://github.com/puppetlabs/puppetdb/pull/1192

Comment by Rob Nelson [ 2015/01/05 ]

Merged in PDB-1081. It will be visible at https://docs.puppetlabs.com/puppetdb/latest/connect_puppet_master.html when 'stable' docs are updated.

Comment by Rob Nelson [ 2015/02/05 ]

Visible at https://docs.puppetlabs.com/puppetdb/latest/connect_puppet_master.html#step-3-set-security-policy

Comment by Kurt Wall [ 2015/02/12 ]

Documentation tickets don't require QA review

Generated at Mon Sep 23 09:18:45 PDT 2019 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.