Ubuntu
puppet package

puppetmaster-passenger default vhost has wrong documentroot

Bug #948983 reported by Glenn Aaldering
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
puppet (Ubuntu)
Fix Released
High
Marc Cluet
Ubuntu ubuntu-12.04-beta-2
Precise
Fix Released
High
Marc Cluet
Ubuntu ubuntu-12.04-beta-2

Bug Description

After a clean install of puppetmaster-passenger on 12.04 the vhost /etc/apache2/sites-available/puppetmaster is wrong:
1: SSL certificates for puppetmaster on ubuntu are not in /etc/puppet/ssl but in /var/lib/puppet/ssl
2: Rack application for puppetmaster on ubuntu is not in /etc/puppet but in /usr share/puppet

This config which works for me (PLEASE NOTE: $FQDN should be actual fqdn of the server)
# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off

Listen 8140

<VirtualHost *:8140>
        SSLEngine on
        SSLProtocol -ALL +SSLv3 +TLSv1
        SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

        SSLCertificateFile /var/lib/puppet/ssl/certs/$FQDN.pem
        SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/$FQDN.pem
        SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
        SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
        # If Apache complains about invalid signatures on the CRL, you can try disabling
        # CRL checking by commenting the next line, but this is not recommended.
        SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
        SSLVerifyClient optional
        SSLVerifyDepth 1
        SSLOptions +StdEnvVars

        RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

        DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
        RackBaseURI /
        <Directory /usr/share/puppet/rack/puppetmasterd/>
                Options None
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>

Tags: precise

Related branches

lp:~lynxman/ubuntu/precise/puppet/puppetlabsfixbug12844
James Page: Needs Fixing
Ubuntu branches: Pending requested
Diff: 4139 lines (+3430/-399)
29 files modified
.pc/.quilt_patches (+1/-0)
.pc/.quilt_series (+1/-0)
.pc/applied-patches (+1/-0)
.pc/puppet-12844/lib/puppet/agent.rb (+114/-0)
.pc/puppet-12844/lib/puppet/agent/locker.rb (+30/-0)
.pc/puppet-12844/lib/puppet/application/agent.rb (+508/-0)
.pc/puppet-12844/lib/puppet/util/anonymous_filelock.rb (+36/-0)
.pc/puppet-12844/lib/puppet/util/pidlock.rb (+68/-0)
.pc/puppet-12844/spec/unit/agent/locker_spec.rb (+87/-0)
.pc/puppet-12844/spec/unit/agent_spec.rb (+285/-0)
.pc/puppet-12844/spec/unit/application/agent_spec.rb (+631/-0)
.pc/puppet-12844/spec/unit/util/anonymous_filelock_spec.rb (+78/-0)
.pc/puppet-12844/spec/unit/util/pidlock_spec.rb (+208/-0)
debian/changelog (+13/-0)
debian/patches/puppet-12844 (+979/-0)
debian/patches/series (+1/-0)
debian/puppetmaster-passenger.postinst (+7/-0)
lib/puppet/agent.rb (+2/-4)
lib/puppet/agent/locker.rb (+15/-1)
lib/puppet/application/agent.rb (+3/-11)
lib/puppet/util/anonymous_filelock.rb (+0/-36)
lib/puppet/util/pidlock.rb (+71/-22)
spec/unit/agent/locker_spec.rb (+12/-0)
spec/unit/agent_backward_compatibility_spec.rb (+152/-0)
spec/unit/agent_spec.rb (+0/-6)
spec/unit/application/agent_spec.rb (+1/-33)
spec/unit/util/anonymous_filelock_spec.rb (+0/-78)
spec/unit/util/pidlock_spec.rb (+0/-208)
test/util/pidlock.rb (+126/-0)
lp:ubuntu/precise/puppet
James Page (james-page)
Changed in puppet (Ubuntu):
importance: Undecided → High
James Page (james-page)
Changed in puppet (Ubuntu):
status: New → Confirmed
Revision history for this message
James Page (james-page) wrote :

Additional confirmation notes:

1: SSL certificates for puppetmaster on ubuntu are not in /etc/puppet/ssl but in /var/lib/puppet/ssl

The SSL certificates on my clean install where pointing at the correct locations in /var/lib/puppet/ssl

2: Rack application for puppetmaster on ubuntu is not in /etc/puppet but in /usr share/puppet

Confirmed - default document root was /etc/puppet/rack not /usr/share/puppet/rack

tags: added: precise
Changed in puppet (Ubuntu):
milestone: none → ubuntu-12.04-beta-2
Revision history for this message
James Page (james-page) wrote :

I also see the following error when the postinst script tries to restart apache2:

Invalid command 'RequestHeader', perhaps misspelled or defined by a module not included in the server configuration
Action 'configtest' failed.
The Apache error log may have more information.
   ...fail!

Needs an extra a2enmod headers

Marc Cluet (lynxman)
Changed in puppet (Ubuntu Precise):
assignee: nobody → Marc Cluet (lynxman)
Revision history for this message
Glenn Aaldering (glennaaldering) wrote :

1: Correct, if /etc/puppet/puppet.conf has no [main] section with ssldir set (to /var/lib/puppet/ssl) the puppetmaster-passenger package install will use its default /etc/puppet/ssl path for the SSL variables in the /etc/apache2/sites-available/puppetmaster vhost and the generated certificate files.

Revision history for this message
Glenn Aaldering (glennaaldering) wrote :

James, check bug 948909 which i posted yesterday. Its about the a2enmod headers

Revision history for this message
Marc Cluet (lynxman) wrote :

Reproduced and confirmed this was caused by 2 reasons

1- apache2 doesn't enable mod_headers by default now, so we need to explicitly enable it on puppetmaster-passenger.postinst
2- Rack directory changed from /usr/share/puppet/rack/puppetmasterd to /etc/puppet/rack/public/ on the config file, we need to revert this on puppetmaster-passenger.postinst

Changed in puppet (Ubuntu Precise):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package puppet - 2.7.11-1ubuntu1

---------------
puppet (2.7.11-1ubuntu1) precise; urgency=low

  [ Marc Cluet ]
  * debian/patches/puppet-12844: Cherry picked patch from upstream
    2.7.12 to revert new agent lockfile behaviour as it breaks upgrades
    from versions < 2.7.10. This feature has been pushed out to
    puppet 3.x by upstream.
  * debian/puppetmaster-passenger.postinst (LP: #948983)
    - Fixed rack directory location
    - Added proper enabling of apache2 headers mod
  * debian/puppetmaster-passenger.postinst (LP: #950183)
    - Make sure we error if puppet config print doesn't work

  [ James Page ]
  * debian/puppetmaster-passenger.postinst:
    - Ensure upgrades from <= 2.7.11-1 fixup passenger apache
      configuration.
 -- Marc Cluet <email address hidden> Fri, 16 Mar 2012 15:36:35 +0000

Changed in puppet (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.