Puppet Plug-in v3.0 and 3.1 for vRealize Automation: adding a Puppet master fails in Puppet Enterprise 2016.4.x to 2018.1.x – Puppet Support

In the vRO client, when you run the Add a Puppet Enterprise Master workflow, it fails with a runtime exception.

Error messages and logs

In the vRO client, when you run the Add a Puppet Enterprise Master workflow, you get either of the following messages:

Unable to create a vCO endpoint of type 'Puppet'. Reason: 'Failed to add Master. Exception: (RuntimeException: Failed to get Facter fact) (Workflow:Add a Puppet Enterprise Master / Add a Puppet Enterprise Master (item1)#7)'

Unable to create a vCO endpoint of type 'Puppet'. Reason: 'Failed to add Master. Exception: (JSchException: Auth cancel) (Workflow:Add a Puppet Enterprise Master / Add a Puppet Enterprise Master (item1)#7)'

Version and installation information

PE version: 2016.4.x to 2018.1.x

Solution

The issue occurs because requirements for the plug-in are not met. The user for the workflow cannot complete the facter command needed to get the current PE version and add the master. Classification for the plug-in must also be correct for the workflow to succeed.

Learn more about vRO configuration.

To add the master, the vro-plugin-user user must:

Be able to SSH into the master from the vRO client.
Be either using root or be able to run Puppet commands without entering a password for sudo.

Check that the user meets the requirements: SSH into the master with the vro-plugin-user credentials and run the following command: sudo /opt/puppetlabs/bin/facter -p pe_server_version When the command runs successfully, the output is your version of PE, for example, 2017.3.2.
If you are unable to SSH into the master with the vro-plugin-user credentials, confirm that classification is correct.

Ensure that the vro_plugin_sshd and vro_plugin_user classes are classified for the master. If you see any errors, fix them.
Run puppet agent -t on the master.
SSH into the master as the vro-plugin-user and run the facter command again:
```
sudo /opt/puppetlabs/bin/facter -p pe_server_version
```

Troubleshooting OS issues

If you are not able to run the command successfully, use the following troubleshooting sections to fix OS issues.

Unable to SSH into the master

If you are unable to SSH in to the master after completing the steps above, check the following items on the master.

Ensure that the SSH configuration allows password authenticated logins. In /etc/ssh/sshd_config check that the following lines are present:
```
PermitRootLogin yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
```
Ensure that the vro_plugin_user is allowed to SSH into the master. Open /etc/ssh/sshd_config and check for configuration issues. Commonly, the AllowUsers setting is enabled but does not contain the vro-plugin-user.
Ensure that the /etc/ssh/sshd_config has been read by restarting the ssh service.

If you have an issue using SSH after fixing these items above, work with your OS vendor to troubleshoot the issue.

Unable to run sudo commands without entering a password

If you are unable to run sudo commands with the vro-plugin-user without entering a password after completing the steps above, check the following items on the master.

Ensure the file /etc/sudoers.d/vro-plugin-user exists and contains entries with NOPASSWD in them.

For example:
```
vro-plugin-user ALL = (root) NOPASSWD: /opt/puppetlabs/bin/facter -p puppetversion
```
If it does not, check the Puppet catalog for items that modify the sudoers file.
In /etc/sudoers, ensure that /etc/sudoers.d/ is included.

Ensure that no other configuration options prevent the vro-plugin-user from using sudo without a password. Check sudo access for vro-plugin-user by logging in and running sudo -l.

For example:

$ sudo -l
Matching Defaults entries for vro-plugin-user on this host:
    !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
    LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
    LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty
User vro-plugin-user may run the following commands on this host:
    (root) NOPASSWD: /opt/puppetlabs/bin/puppet node purge *
    (root) NOPASSWD: !/opt/puppetlabs/bin/puppet node purge *[[\:blank\:]]*
    (root) NOPASSWD: /opt/puppetlabs/bin/puppet config print *
    (root) NOPASSWD: !/opt/puppetlabs/bin/puppet config print *[[\:blank\:]]*
    (root) NOPASSWD: /opt/puppetlabs/bin/facter -p puppetversion
    (root) NOPASSWD: /opt/puppetlabs/bin/facter -p pe_server_version
    (root) NOPASSWD: /opt/puppetlabs/bin/puppet agent -t
    (root) NOPASSWD: /opt/puppetlabs/bin/puppet agent --test --color\=false --detailed-exitcodes
    (root) NOPASSWD: /bin/kill -HUP *
    (root) NOPASSWD: !/bin/kill -HUP *[[\:blank\:]]*
    (root) NOPASSWD: !/opt/puppetlabs/bin/puppet node purge pe-201734-master.puppetdebug.vlan
    (root) NOPASSWD: !/opt/puppetlabs/bin/puppet node purge pe-internal-mcollective-servers
    (root) NOPASSWD: !/opt/puppetlabs/bin/puppet node purge pe-internal-peadmin-mcollective-client
    (root) NOPASSWD: /opt/puppetlabs/bin/puppet resource service puppet ensure\=stopped
    (root) NOPASSWD: /opt/puppetlabs/bin/puppet resource service puppet ensure\=running enable\=true
    (root) NOPASSWD: /bin/cp /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem /etc/puppetlabs/puppet/ssl/crl.pem

If the sudo issue persists after checking these items, work with your OS vendor to troubleshoot the issue.