Error Messages¶
The following sections describe how to troubleshoot some common errors and problems.
External PostgreSQL¶
The following error messages may be present when configuring the Chef server to use a remote PostgreSQL server.
CSPG001 (changed setting)¶
Reason
The value of postgresql['external']
has been changed.
Possible Causes
- This setting must be set before running
chef-server-ctl reconfigure
, and may not be changed after
Warning
Upgrading is not supported at this time.
Resolution
- Back up the data using
knife ec backup
, create a new backend instance, and then restore the data - Re-point front end machines at the new backend instance or assign the new backend instance the name/VIP of the old backend instance (including certificates, keys, and so on)
CSPG010 (cannot connect)¶
Reason
Cannot connect to PostgreSQL on the remote server.
Possible Causes
- PostgreSQL is not running on the remote server
- The port used by PostgreSQL is blocked by a firewall on the remote server
- Network routing configuration is preventing access to the host
- When using Amazon Web Services (AWS), rules for security groups are preventing the Chef server from communicating with PostgreSQL
CSPG011 (cannot authenticate)¶
Reason
Cannot authenticate to PostgreSQL on the remote server.
Possible Causes
- Incorrect password specified for
db_superuser_password
- Incorrect user name specified for
db_superuser
CSPG012 (incorrect rules)¶
Reason
Cannot connect to PostgreSQL on the remote server because rules in pg_hba
are incorrect.
Possible Causes
- There is no
pg_hba.conf
rule for thedb_superuser
in PostgreSQL - A rule exists for the
db_superuser
inpg_hba.conf
, but it does not specifymd5
access - A rule in
pg_hba.conf
specifies an incorrect originating address
Resolution
Entries in the
pg_hba.conf
file should allow all user names that originate from any Chef server instance usingmd5
authentication. For example, apg_hba.conf
entry for a valid username and password from the 192.0.2.0 subnet:host postgres all 192.0.2.0/24 md5
or, specific named users with a valid password originating from the 192.0.2.0 subnet. A file named
$PGDATA/chef_users
with the following content must be created:opscode_chef opscode_chef_ro bifrost bifrost_ro oc_id oc_id_ro
where
CHEF-SUPERUSER-NAME
is replaced with the same user name specified bypostgresql['db_superuser']
. The correspondingpg_hba.conf
entry is similar to:host postgres @chef_users 192.168.93.0/24 md5
or, using the same
$PGDATA/chef_users
file (from the previous example), the following example shows a way to limit connections to specific nodes that are running components of the Chef server. This approach requires more maintenance because thepg_hba.conf
file must be updated when machines are added to or removed from the Chef server configuration. For example, a high availability configuration with four nodes:backend-1
(192.0.2.100),backend-2
(192.0.2.101),frontend-1
(192.0.2.110), andfrontend-2
(192.0.2.111).The corresponding
pg_hba.conf
entry is similar to:host postgres @chef_users 192.0.2.100 md5 host postgres @chef_users 192.0.2.101 md5 host postgres @chef_users 192.0.2.110 md5 host postgres @chef_users 192.0.2.111 md5
These changes also require a configuration reload for PostgreSQL:
pg_ctl reload
or:
SELECT pg_reload_conf();
Rules in the
pg_hba.conf
file should allow only specific application names:$db_superuser
(the configured superuser name in the chef-server.rb file),oc_id
,oc_id_ro
,opscode_chef
,opscode_chef_ro
,bifrost
, andbifrost_ro
CSPG013 (incorrect permissions)¶
Reason
The db_superuser
account has incorrect permissions.
Possible Causes
The
db_superuser
account has not been grantedSUPERUSER
accessThe
db_superuser
account has not been grantedCREATE DATABASE
andCREATE ROLE
privilegesALTER ROLE "$your_db_superuser_name" WITH SUPERUSER
or:
ALTER ROLE "$your_db_superuser_name" WITH CREATEDB CREATEROLE
CSPG014 (incorrect version)¶
Reason
Bad version of PostgreSQL.
Possible Causes
- The remote server is not running PostgreSQL version 9.2.x
CSPG015 (missing database)¶
Reason
The database template template1
does not exist.
Possible Causes
- The
template1
database template has been removed from the remote server
Resolution
Run the following command (as a superuser):
CREATE DATABASE template1 TEMPLATE template0
or:
createdb -T template0 template1
CSPG016 (database exists)¶
Reason
One (or more) of the PostgreSQL databases already exists.
Possible Causes
- The
opscode_chef
,oc_id
, and/orbifrost
databases already exist on the remote machine - The PostgreSQL database exists for another application
Resolution
- Verify that the
opscode_chef
,oc_id
, and/orbifrost
databases exist, and then verify that they are not being used by another internal application - Back up the PostgreSQL data, remove the existing databases, and reconfigure the Chef server
CSPG017 (user exists)¶
Reason
One (or more) of the PostgreSQL predefined users already exists.
Possible Causes
- The
opscode_chef
,ospcode_chef_ro
,bifrost
,bifrost_ro
,oc_id
, oroc_id_ro
users already exist on the remote machine - The
postgresql['vip']
setting is configured to a remote host, butpostgresql['external']
is not set totrue
, which causes theopscode_chef
andospcode_chef_ro
users to be created before the machine is reconfigured, which will return a permissions error - Existing, valid naming conflicts are present, where the users were created independently of the Chef server
Resolution
Run the following, if it is safe to do so, to update the user name that is specified in the error message:
DROP ROLE "name-of-user";
or change the name of the user by updating following settings in the chef-server.rb configuration file:
oc_id['sql_user'] = 'alternative_username' oc_id['sql_ro_user'] = alternative_username_for_ro_access' opscode_erchef['sql_user'] = 'alternative_username' opscode_erchef['sql_ro_user'] = 'alternative_username_for_ro_access' oc_bifrost['sql_ro_user'] = 'alternative_username' oc_bifrost['sql_ro_user'] = 'alternative_username_for_ro_access'