Puppetserver service fails to start with error "Permission denied - /var/log/puppetlabs/puppetserver" in Red Hat Satellite 6

Solution Verified - Updated 13 Jun 2024

Environment

Red Hat Satellite 6.4 and above
Red Hat Capsule 6.4 and above
Puppet 4 and above

Issue

The puppetserver service is not getting started and the following errors were observed in the /var/log/messages file of the Red Hat Satellite\Capsule server.

Aug 25 09:51:23 satellite puppetserver: Execution error (RuntimeError) at RUBY/use (/opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/settings.rb:1117).
Aug 25 09:51:23 satellite puppetserver: (RuntimeError) Got 1 failure(s) while initializing: File[/var/log/puppetlabs/puppetserver]: change from 'absent' to 'directory' failed: Could not set 'directory' on ensure: Permission denied - /var/log/puppetlabs/puppetserver
Aug 25 09:51:23 satellite puppetserver: Full report at:
Aug 25 09:51:23 satellite puppetserver: /tmp/clojure-3389792872287774462.edn
Aug 25 09:51:24 satellite puppetserver: Background process 19123 exited before start had completed
Aug 25 09:51:24 satellite systemd: puppetserver.service: control process exited, code=exited status=1
Aug 25 09:51:24 satellite systemd: Failed to start puppetserver Service.
Aug 25 09:51:24 satellite systemd: Unit puppetserver.service entered failed state.
Aug 25 09:51:24 satellite systemd: puppetserver.service failed.
Aug 25 09:51:24 satellite systemd: puppetserver.service holdoff time over, scheduling restart.
Aug 25 09:51:24 satellite systemd: Stopped puppetserver Service.

Resolution

Ensure that the ownership\permission\selinux_context of the /var/log/puppetlabs/puppetserver directory looks like the following.

# ls -ld /var/log/puppetlabs/puppetserver -Z
drwxr-x---. puppet puppet system_u:object_r:var_log_t:s0   /var/log/puppetlabs/puppetserver

If the issue persists, Ensure that /var/log/puppetlabs itself has the correct ownership\permission\selinux_context applied.
```
# ls -ldZ /var/log/puppetlabs
drwxr-xr-x. root root system_u:object_r:var_log_t:s0   /var/log/puppetlabs
```

For more KB articles/solutions related to Red Hat Satellite 6.x Puppet Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Puppet Issues

Root Cause

The permission of /var/log/puppetlabs directory was set to 740 i.e. drwxr----- whereas the expected permission is 755 i.e. drwxr-xr-x.

Diagnostic Steps

Verify the permission\ownership\selinux_context of the /var/log/puppetlabs and its underlying directory and files.
```
# namei -lom /var/log/puppetlabs/puppetserver/*.log
# ls -lRZa /var/log/puppetlabs
```
Verify if there are any SELinux denials captured inside /var/log/audit/audit.log related to puppet or puppetserver.

SBR

SysMgmt

Product(s)

Red Hat Satellite

Components

puppet

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.