Brano Zarnovican
2011-06-10 14:06:31 UTC
Hi,
I have been using func 0.24 for awhile with puppet and no problems and decided to upgrade to the latest offered from epel, 0.28. After updating I cannot get even a ping response from the func client on the master.
('func.lsu.edu',
['REMOTE_ERROR',
'xmlrpclib.Fault',
"<Fault 1: 'func.minion.codes.AccessToMethodDenied:'>"])
2011-05-23 15:26:24,453 - DEBUG - Loading func.overlord.modules.utils.utils module
2011-05-23 15:26:24,454 - WARNING - Could not load module
2011-05-23 15:26:24,454 - WARNING - ['Traceback (most recent call last):\n', ' File "/usr/lib/python2.4/site-packages/func/module_loader.py", line 108, in load_modules\n blip = __import__("%s%s" % ( mod_dir,mod_imp_name), globals(), locals(), [mod_imp_name])\n', 'ValueError: Empty module name\n']
2011-05-23 15:26:24,455 - DEBUG - Loading func.overlord.modules.copyfile.copyfile module
2011-05-23 15:26:24,541 - DEBUG - cn: func.lsu.edu sub_hash: 952665255
2011-05-23 15:26:24,543 - DEBUG - current acls {u'ca--1304069296': ['*', 'foo']}
2011-05-23 15:26:24,543 - DEBUG - hostkey func.lsu.edu-952665255
Hi Jason,I have been using func 0.24 for awhile with puppet and no problems and decided to upgrade to the latest offered from epel, 0.28. After updating I cannot get even a ping response from the func client on the master.
('func.lsu.edu',
['REMOTE_ERROR',
'xmlrpclib.Fault',
"<Fault 1: 'func.minion.codes.AccessToMethodDenied:'>"])
2011-05-23 15:26:24,453 - DEBUG - Loading func.overlord.modules.utils.utils module
2011-05-23 15:26:24,454 - WARNING - Could not load module
2011-05-23 15:26:24,454 - WARNING - ['Traceback (most recent call last):\n', ' File "/usr/lib/python2.4/site-packages/func/module_loader.py", line 108, in load_modules\n blip = __import__("%s%s" % ( mod_dir,mod_imp_name), globals(), locals(), [mod_imp_name])\n', 'ValueError: Empty module name\n']
2011-05-23 15:26:24,455 - DEBUG - Loading func.overlord.modules.copyfile.copyfile module
2011-05-23 15:26:24,541 - DEBUG - cn: func.lsu.edu sub_hash: 952665255
2011-05-23 15:26:24,543 - DEBUG - current acls {u'ca--1304069296': ['*', 'foo']}
2011-05-23 15:26:24,543 - DEBUG - hostkey func.lsu.edu-952665255
I've been probably hit by the very same problem.. The short story is
that your overlord node is not sending the right cert to identify
himself to minion.
To fix, I had to change in /etc/func/overlord.conf
#cert_file = /var/lib/puppet/ssl/certs/puppet.example.org.pem
#key_file = /var/lib/puppet/ssl/private_keys/puppet.example.org.pem
cert_file = /var/lib/puppet/ssl/certs/ca.pem
key_file = /var/lib/puppet/ssl/ca/ca_key.pem
It seems that instruction to setup Puppet/Func integration are inaccurate.
Logging problem: IMHO funcd should report authorization problem
nicely. This is how it looks now:
==> func/func.log <==
2011-06-10 13:03:26,804 - DEBUG - cn: puppet.example.org sub_hash: 710746128
2011-06-10 13:03:26,806 - DEBUG - current acls {u'ca-2990898000': ['*', 'foo']}
2011-06-10 13:03:26,806 - DEBUG - hostkey puppet.example.org-710746128
After some head-scratching I figured out that this means "Incoming
overlord cert has hash 710746128, expected cert (from implicit acl) is
2990898000".
This page was great help, btw (https://fedorahosted.org/func/wiki/FuncSecurity)
Logging on client side could be also improved. Not even on DEBUG level
you can see the response from remote end (for ping).
(desperate, I had to decrypt the session in wireshark)
2011-05-23 15:26:24,454 - WARNING - Could not load module
2011-05-23 15:26:24,454 - WARNING - ['Traceback (most recent call last):\n', ' File "/usr/lib/python2.4/site-packages/func/module_loader.py", line 108,
This WARN is totally unrelated..2011-05-23 15:26:24,454 - WARNING - ['Traceback (most recent call last):\n', ' File "/usr/lib/python2.4/site-packages/func/module_loader.py", line 108,
Then func is walking over files to load, he will come to entry
/usr/lib/python2.4/site-packages/func/overlord/modules/__init__.py
After some processing and stripping __init__.py, he will try to execute..
import func.overlord.modules. # <-- notice the dot
.. and bomb out. That warning should be harmless.
System: RHEL5.6/Fedora14, func 0.28
Regards,
BranoZ