FAQ
Hello,
On Apr 9, 2013, at 12:02 AM, Stack Kororā wrote:

Greetings!

I am having a problem with puppet mounting a device and am hoping someone
can help. Here is the short version, if you have questions or need more
detail, please feel free to ask.

I have a Panasas storage device on my network on which my home directory
resides. The Panasas device mounts the filesystem via a kernel module
(which they call DirectFlow). Thus, when I run as root ` mount /home` a
kernel module is loaded and then the filesystem is loaded. I have certain
restrictions in place on my servers which I have to keep in line (Puppet is
AMAZING for this!) and the mounting of /home is one of those restrictions.

I have in my puppet manifest this:
mount { "/home" :
ensure => mounted,
atboot => true,
device => "panfs://192.168.1.20/home",
fstype => "panfs",
options => "defaults,nodev",
remounts => true,
pass => 2,
dump => 1,
}

If I run, as root, `puppet agent --test` then the /home filesystem is
mounted and everything is wonderful. However, if I let the puppet agent
daemon try to mount /home I get errors in the log files without the mount
ever happening.
The puppet agent that runs on your server is normally running as root (it has to be to have privileges to make all of the change it can do). However a number of Linux operating systems have further security protection beyond just root which can restrict what daemons can do but does not restrict what a 'human' logged in as root may be able to do. For example all of the Redhat Enterprise Linux (and Fedora) use Selinux which will normally limit what even root executing dameon processes can do in order to protect the system from attacks. Other OS's like OpenBSD/FreeBSD or Linux distributions have similar capabilities that go by different names.

If those are enabled, you may find that things you can do as a root user don't work when run from cron or from a daemon process.

If this is RHEL/Centos then try putting SElinux in permissive mode (as root user run 'setenforce Permissive' ) and see if you have the same problem. If so then that identifies the issue and you can either generate a custom selinux policy for puppet, run in permissive, or change the way the mount happens. What to do depends on your organization security policy.

Since it works when you run puppet agent --test the manifest itself is probably fine and the puppet mount code is able to load your module ok.
Apr 2 13:01:08 testnode puppet-agent[29955]:
(/Stage[main]/mount::Homefilesystem/Mount[/home]/ensure) ensure changed
'unmounted' to 'mounted'
Apr 2 13:01:08 testnode puppet-agent[29955]:
(/Stage[main]/mount::Homefilesystem/Mount[/home]) Could not evaluate:
Execution of '/bin/mount -o defaults,nodev /home' returned 1: mount.panfs
error: cannot init pan_sock_ping 0x239d (pan_sock: protected socket,
permission denied)

Neither Panasas representatives I talked to seemed to have any idea what
Puppet was before I spoke to them. My coworkers, the Panasas reps, and I
brainstormed a few ideas but only three seemed to "work":
* Have the puppet daemon run as root instead of the puppet user (which is
an obvious issue)
This should already be happening. Only the 'puppet master' runs as a regular 'puppet' user, the agent normally runs as root.
* Use auto-mount (which "works" but is causing some oddities in a few of my
jobs which I am fairly sure is due to the latency of the mount)
* Have Puppet call a script with the setuid bit configured which can mount
/home (which doesn't 100% address my needs of puppet being able to remount
if one of those parameters is wrong/missing/changed/whatever without that
script getting complicated).
I would not recommend this. It is fragile and as you say loses much of the benefit of puppet.
Before I commit towards one option, I thought I would ask the other Puppet
masters out there for ideas. Given the popularity of Puppet in datacenters
as well as the popularity of SAN devices in datacenters I figure someone
out there has probably solved this problem. I am hoping that their solution
is better then the ones we have come up with. :-D

Can anyone help me out with this?

Thank you in advance!!

Stack
Hope this helps.

Jonathan
-------------------------------------------------------------------------------
Jonathan Stanton jonathan@spreadconcepts.com
Spread Group Messaging www.spread.org
Spread Concepts LLC www.spreadconcepts.com
-------------------------------------------------------------------------------




--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Search Discussions

Discussion Posts

Previous

Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 3 of 6 | next ›
Discussion Overview
grouppuppet-users @
categoriespuppet
postedApr 9, '13 at 2:06p
activeApr 12, '13 at 10:22p
posts6
users4
websitepuppetlabs.com

People

Translate

site design / logo © 2022 Grokbase