New jessie instance can't attach to puppet due to wrong certname
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	hashar
	Jun 11 2015, 9:36 AM

Description

I have created a new Jessie instance integration-lightslave-jessie-1002 which points to a self puppet master. The puppet conf has:

[agent]
server = integration-puppetmaster.eqiad.wmflabs
certname = i-00000cdb.eqiad.wmflabs

Running puppet I am yield:

Warning: Server hostname 'integration-puppetmaster.eqiad.wmflabs' did not match server certificate;
expected one of
i-00000a4c.integration.eqiad.wmflabs,
DNS:i-00000a4c.integration.eqiad.wmflabs,
DNS:integration-puppetmaster.integration.eqiad.wmflabs,
DNS:puppet,
DNS:puppet.integration.eqiad.wmflabs

/etc/resolv.conf has:

domain integration.eqiad.wmflabs
search integration.eqiad.wmflabs eqiad.wmflabs
nameserver 208.80.154.20
options timeout:5 ndots:2

Hiera:integration has:

classes:
   - role::puppet::self
"role::puppet::self::master": integration-puppetmaster
"role::puppet::self::enc": yaml+ldap

Related Objects
Search...

Status	Assigned	Task
Resolved	hashar	T103972 Setup jobs for operations/software/conftool
Resolved	hashar	T95545 Migrate all debian-glue jobs to Jessie slaves
Resolved	hashar	T102894 Move labs/tools/extdist tox tests to jessie
Resolved	hashar	T103977 Create tox templates that are bound to jessie
Resolved	hashar	T94836 Create CI slaves using Debian Jessie
Resolved	Andrew	T102108 New jessie instance can't attach to puppet due to wrong certname
Resolved	Andrew	T102193 Add exception-handling to puppet signer

Event Timeline

hashar created this task.Jun 11 2015, 9:36 AM

hashar raised the priority of this task from to Needs Triage.

hashar updated the task description. (Show Details)

hashar added projects: Cloud-Services, Cloud-VPS.

hashar added a subscriber: hashar.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 11 2015, 9:36 AM

Is puppetmaster running latest puppet?

hashar updated the task description. (Show Details)Jun 11 2015, 9:37 AM

hashar set Security to None.

hashar added a parent task: T94836: Create CI slaves using Debian Jessie.

hashar removed a subscriber: yuvipanda.

I have changed in Hiera:integration the puppet master from 'integration-puppetmaster' to 'integration-puppetmaster.integration.eqiad.wmflabs' https://phabricator.wikimedia.org/T102108

Then manually tweaked /etc/puppet/puppet.conf:

[agent]
- server = integration-puppetmaster.eqiad.wmflabs
+ server = integration-puppetmaster.integration.eqiad.wmflabs

The connection works but the server side catalog compilation fails:

Error: Could not retrieve catalog from remote server:
Error 400 on SERVER: must be a simple hostname.  The project-specific domain will be automatically appended. at /etc/puppet/manifests/role/puppet.pp:67 on node i-00000cdb.eqiad.wmflabs

Which is role::puppet::self:

if $master != undef {
    if $master =~ /\./ {
        fail("$::puppetmaster must be a simple hostname.  The project-specific domain will be automatically appended.")
    }

https://gerrit.wikimedia.org/r/#/c/215333/ asserts that role::puppet::self::master is set to a simple hostname (no fqdn). @yuvipanda reverted the Hiera:Integration change ( https://wikitech.wikimedia.org/w/index.php?title=Hiera:Integration&action=history ).

Seems to work now.

Puppet did:

 [agent]
-server = integration-puppetmaster.eqiad.wmflabs
+server = integration-puppetmaster.integration.eqiad.wmflabs
 configtimeout = 480
 splay = true
 prerun_command = /etc/puppet/etckeeper-commit-pre
 postrun_command = /etc/puppet/etckeeper-commit-post
 pluginsync = true
 report = true
-certname = i-00000cdb.eqiad.wmflabs
+certname = i-00000cdb.integration.eqiad.wmflabs

I just reverted https://wikitech.wikimedia.org/w/index.php?title=Hiera%3AIntegration&type=revision&diff=162646&oldid=162643 and it seems to be ok.

Seems like this must have been due to an un-updated puppet repo on the master. Is that right?

I have created a new instance integration-t102108.eqiad.wmflabs . Let see what happens.

integration-t102108 is a Puppet client of integration-puppetmaster.eqiad.wmflabs (puppetclient)

Same error:

Info: Caching certificate for i-00000cdc.eqiad.wmflabs
Error: Could not request certificate:
Server hostname 'integration-puppetmaster.eqiad.wmflabs' did not match server certificate; expected one of
  i-00000a4c.integration.eqiad.wmflabs,
  DNS:i-00000a4c.integration.eqiad.wmflabs,
  DNS:integration-puppetmaster.integration.eqiad.wmflabs,
  DNS:puppet, DNS:puppet.integration.eqiad.wmflabs

Exiting; failed to retrieve certificate and waitforcert is disabled

Was provisioned with puppet.conf agent.server = integration-puppetmaster.eqiad.wmflabs which is not in the least of expected entries.

There is one based on the ec2id: i-00000a4c.integration.eqiad.wmflabs

Another one using the new dns scheme: integration-puppetmaster.integration.eqiad.wmflabs

I guess you need to adjust modules/labs_bootstrapvz/files/firstboot.sh and generate a new Jessie image. It has:

domain=`hostname -d`   # now yields integration.eqiad.wmflabs
if [ "${domain}" == "eqiad.wmflabs" ]
then
    master="labs-puppetmaster.wikimedia.org"
    master_secondary="labcontrol2001.wikimedia.org"
fi

So I guess at this point $master and $master_secondary are unset. But:

sed -i "s/_FQDN_/${idfqdn}/g" /etc/puppet/puppet.conf
sed -i "s/_MASTER_/${master}/g" /etc/puppet/puppet.conf

idfqdn being set to i-00000cdc.integration.eqiad.wmflabs

I think the issue is that new instances have the wrong domain, which means they can't contact the puppet server, which means they can't fix their domain.

I'll be building a new base image today -- we'll check and make sure it helps.

I'm still fighting with Jessie, but can you validate that the Trusty (testing) image works properly for you?

OK, I'm confident this is resolved with the new images. Reopen if you still can't get it to work.

On the integration project which uses custom salt and puppet masters, I have created an instance for Jessie and one for Trusty. None works :-D

integration-t102108-jessie-new

Horizon console

integration-t102108-trusty-new

Horizon console

Might be some oddity with our puppet/salt masters configurations though.

From a discussion with Andrew:

Seems to be caused by the puppet signer on labcontrol1001 . Instances hit the generic puppet master to be able to apply ::self. The signer does not always which is filled as T102193.

Andrew closed subtask T102193: Add exception-handling to puppet signer as Resolved.Jun 15 2015, 5:09 PM

I deleted the previous instances and created two fresh ones with puppet.git up-to-date.

integration-t102108-trusty-new2 https://horizon.wikimedia.org/project/instances/ee1fa9f9-0aac-4d0b-97e0-dbff0619ff0f/console

integration-t102108-jessie-new2 https://horizon.wikimedia.org/project/instances/e4866b5a-2407-40fe-b333-43dbdae740de/console

They both suffer from a 3 minutes boot delay because there is no NFS server available. The shared NFS has been disabled on integration T90610#1344487

Filling another task.

hashar mentioned this in T102544: Instances without a shared NFS storage suffers from a 3 minutes boot delay.Jun 15 2015, 8:17 PM

The puppet signer has been fixed by Andrew. The two instances I created (suffixed -new2) are both working fine as far as I can tell.

hashar removed a subtask: T102544: Instances without a shared NFS storage suffers from a 3 minutes boot delay.Jun 15 2015, 8:21 PM

I have deleted the two tests instances I created on the integration labs project.

• Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:50 PM

New jessie instance can't attach to puppet due to wrong certnameClosed, ResolvedPublicActions

Description

Related ObjectsSearch...

Event Timeline

New jessie instance can't attach to puppet due to wrong certname
Closed, ResolvedPublic
Actions

Related Objects
Search...