• PHP
  • Ruby on Rails
  • MySQL
  • Linux
    • SELINUX
    • Fedora
    • debian
  • Apache
  • nginx
  • AJAX
Albertech.net

Puppet fileserver configuration with Scientific Linux 6.1 and SELINUX

April 18, 2012 4:15 pm / Albertech.net

The fileserver in Puppet is useful for quickly centralizing configuration files for multiple servers. It works well for serving small text configuration files to clients, but not recommended for large files since it places them into memory before sending them out. For larger files, I recommend using git or rsync instead since it doesn’t affect the performance of the puppetmaster server.

After installing it on Scientific Linux 6.1, I had to go through some extra steps because of the SELINUX restrictions. Here’s the steps I went through to get the Puppet fileserver working.

This guide assumes that you already have a Puppet master installed.

  1. Add the puppetmaster variable to /etc/puppet/manifests/site.pp
    $puppetmaster='myserver.com'   (change to the DNS name of your puppetmaster server)
    This is useful in case you change your puppetmaster server or want to copy the existing configuration to another puppetmaster server.
  2. Edit /etc/puppet/manifests/fileserver.conf on your Puppetmaster. I called the file mount point “files” in my example.
    [files]
    path /var/lib/puppet/files
    allow *
    Note: I am blocking access to port 443 on my puppetmaster box via iptables. If you want to restrict access to the fileserver via puppet, change the allow * to allow *.mydomain.com (or the IP address of your puppet clients).
  3. Create a directory called “files”  in /var/lib/puppet/. You can select another name if you wish, but it has to match the one in /etc/puppet/fileserver.conf.
    cd /var/lib/puppet/
    mkdir files
  4. Change the SELINUX permissions on this folder to allow “puppet_var_lib_t”
    semanage fcontext -a -t puppet_var_lib_t /var/lib/puppet/files(/.*)
    Note: Semanage is not installed on Red Hat 6.0 by default. You will need to download semanage via
    yum install policycoreutils-python
    Or, run “restorecon files” since the parent folder already has the correct permissions. If you don’t set this, you will get errors on the client puppet machines stating they “cannot read file from puppet://”.
  5. Copy your configuration file(s) to /var/lib/puppet/files/. Make sure the files have the correct SELINUX permissions set on them. You can check via
    ls -laZ
    If they do not have the right permissions, run
    restorecon [name of file]
  6. Inside your puppet class, you can refer to the fileserver via the file{} method.Replace the “/path/to/client-config” with the path of the client config file location.
    Replace the “client-config-source” with the file hosted on the file server. I usually have subfolders for each type of service such as httpd, mysqld.  Backup a copy of the file you plan to replace on the client machine.file { "/path/to/client-config":
    owner => "root",
    group => "root",
    source => "puppet://$puppetserver/files/client-config-source",
    }
  7. Restart the puppetmaster service. This will start up the fileserver.
    service puppetmaster restart
  8. Last but not least, always test before running this on a production server.
Common Error Messages:

“Could not evaluate: Could not retrieve information from environment production source(s) puppet:///file/[my source file] at /etc/puppet/manifests/classes/my_sample_class.pp”

If you are getting this on the client, it is most likely a SELINUX issue on the master. Try to run restorecon to fix the permissions on that particular file.

DISCLAIMER: This is for informational purposes only. We are providing absolutely no warranty for this information. Use this information at your own risk. Always perform upgrades on a test server before production and always have a full backup of the system.

Update 4/19/2012 — Thanks Dave Quigley for the tip on semanage. I’ve updated the documentation with semanage instead of chcon. The selinux changes need to be persistent.

Share this:

  • Facebook
  • Google
  • Twitter
  • Print
  • Email
Posted in: Puppet, SELINUX / Tagged: fileserver, puppet, SELinux

2 Thoughts on “Puppet fileserver configuration with Scientific Linux 6.1 and SELINUX”

  1. Pingback: Al

  2. Pingback: Daniel Walsh

Post Navigation

← Previous Post
Next Post →

Categories

  • AJAX
  • Android
  • Apache
  • Canon Cameras
  • Cloud
  • CMS
  • Computer Mods
  • Conferences
  • Deals
  • debian
  • Fedora
  • Flash
  • Frameworks
  • git
  • Hardware
  • HTML
  • IDE
  • iPhone
  • iPhone App Review
  • jQuery
  • Linux
  • Mac OS X
  • MySQL
  • nginx
  • PHP
  • portfolio
  • Puppet
  • Ruby on Rails
  • Script Reviews
  • SELINUX
  • Software
  • Software Review
  • SQL Server
  • statistics
  • Tech
  • Tomcat
  • Uncategorized
  • VMWARE
  • VPS
  • Windows
  • wordpress
  • Zend Framework

Blogroll

  • DragonAl Flickr
  • Dropbox – Free 2GB Account
  • James' Blog
  • Javascript Compressor
  • PHP Builder Community
  • PHP-Princess.net
  • Rubular – Regular Expression Validator
  • The Scale-Out Blog
  • Tiny MCE

Tags

activation AJAX android antec Apache AWS awstats canon coda codeigniter debian enclosure external free G1 install vmware tools Internet Explorer iphone 5 jquery Linux mx-1 MySQL office 2007 OSX photoshop PHP plugin plugins portfolio redesigned website review rewrite script security SELinux ssh tinymce tutorial upgrade VMWARE vmware server wordpress wordpress mu XSS zend framework
© Copyright 2013 Albertech.net
Infinity Theme by DesignCoral / WordPress
loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.