On Jul 1, 2010, at 10:30 AM, Bryan Kearney wrote:
I am trying to configure the puppet master and puppet client to
drive off of existing x.509 certificates. The default logic is for
puppet to take over the permissions of the files. One solution, per
[1], is to crack the defaults.rb file. This seems nasty.
The second option I saw [2] was to use {} to denote the same items.
So, I added this to my puppet.conf file:
[puppetmasterd]
cacert=/etc/candlepin/certs/candlepin-ca.crt {owner = fred, mode
= 644}
capub=/etc/candlepin/certs/candlepin-ca-pub.key
cakey = /etc/candlepin/certs/candlepin-ca.key {owner = root, mode
= 644}
capass = /etc/candlepin/certs/candlepin-ca-password.txt {owner =
root, mode = 644}
But this is not picked up because meta overrides are only taken from
the search path which is: [:cli, :memory, :name, :main]. I am
guessing that name in this case is meant to be puppetmasterd, but
the magic of "turn :name into the application name" is only found in
Puppet::Util::Settings.name method.
So, a couple of questions:
1) Is there good doco on how to use external certificates?
Probably not. Most examples I have seen do the opposite - use
Puppet's certs, rather than the other way around.
2) Is the goal to only set file permissions in the main section of
puppet.conf, or is this a bug?
This is a bug, but it's probably not quite what it looks like. The
'name' there is somewhat magical - the search path code knows to
replace it with the actual application name. Note, though, that this
whole process is bad enough that it's been entirely replaced in 2.6.
Are you using this with puppetmasterd, or with a different executable?
3) Would the preferred fix for 2, assuming a bug, to fix this in the
Puppet::Util::Settings.searchpath method (substitute @name for :name
if known) or in the Puppet::Util::Settings.unsafe_parse method?
If you're using a recent enough version, I'd recommend disabling
'manage_internal_file_permissions', at least for now.
Obviously, the best thing is if this actually works for you. I think
2.6 will make this name-based searching work.
--
The conception of two people living together for twenty-five years
without having a cross word suggests a lack of spirit only to be
admired in sheep. --Alan Patrick Herbert
---------------------------------------------------------------------
Luke Kanies -|- http://puppetlabs.com -|- +1(615)594-8199
--
You received this message because you are subscribed to the Google Groups "Puppet
Developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
