On 07/01/2010 02:51 PM, Luke Kanies wrote:
On Jul 1, 2010, at 10:30 AM, Bryan Kearney wrote:
I am trying to configure the puppet master and puppet client to drive
off of existing x.509 certificates. The default logic is for puppet to
take over the permissions of the files. One solution, per [1], is to
crack the defaults.rb file. This seems nasty.
The second option I saw [2] was to use {} to denote the same items.
So, I added this to my puppet.conf file:
[puppetmasterd]
cacert=/etc/candlepin/certs/candlepin-ca.crt {owner = fred, mode = 644}
capub=/etc/candlepin/certs/candlepin-ca-pub.key
cakey = /etc/candlepin/certs/candlepin-ca.key {owner = root, mode = 644}
capass = /etc/candlepin/certs/candlepin-ca-password.txt {owner = root,
mode = 644}
But this is not picked up because meta overrides are only taken from
the search path which is: [:cli, :memory, :name, :main]. I am guessing
that name in this case is meant to be puppetmasterd, but the magic of
"turn :name into the application name" is only found in
Puppet::Util::Settings.name method.
So, a couple of questions:
1) Is there good doco on how to use external certificates?
Probably not. Most examples I have seen do the opposite - use Puppet's
certs, rather than the other way around.
ok.. I will keep digging around :)
2) Is the goal to only set file permissions in the main section of
puppet.conf, or is this a bug?
This is a bug, but it's probably not quite what it looks like. The
'name' there is somewhat magical - the search path code knows to replace
it with the actual application name. Note, though, that this whole
process is bad enough that it's been entirely replaced in 2.6.
Are you using this with puppetmasterd, or with a different executable?
I am at the puppetmasterd now. Is it worth me putting in a patch where I
need it?
3) Would the preferred fix for 2, assuming a bug, to fix this in the
Puppet::Util::Settings.searchpath method (substitute @name for :name
if known) or in the Puppet::Util::Settings.unsafe_parse method?
If you're using a recent enough version, I'd recommend disabling
'manage_internal_file_permissions', at least for now.
Obviously, the best thing is if this actually works for you. I think 2.6
will make this name-based searching work.
I will try this. Is 2.6 "master" now? I could try running against master
if that is better. Also.. I am happy to put in a patch for (2) if you like.
-- bk
--
You received this message because you are subscribed to the Google Groups "Puppet
Developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
