Re: [Puppet Users] mode on private_keys file for nagios / func integration

Wed, 25 May 2011 09:17:55 -0700 

On Wed, May 25, 2011 at 7:11 AM, Chris Phillips <ch...@untrepid.com> wrote:

> Hi,
>
> I've successfully hooked up func to use the puppet certs, mostly nicely.
> I'm now looking at using func to perform nagios checks (instead of
> installing nrpe, which is more pants than func). Here the nagios service
> runs as the nagios user, and so func also runs as that user, I thought I was
> sorted but making the private key mode 640 so func could read the private as
> the nagios user, but the puppet private key is always changed to mdoe 600
> then puppet runs.
>

You should be able to do this in your puppet.conf

[agent]
privatekeydir = /etc/puppet/ssl/private_keys { mode = 0750 }
hostprivkey = /etc/puppet/ssl/private_keys/$certname.pem { mode = 0640 }

and Puppet will ensure those permissions. There may be some edge cases here,
as this isn't a widely used feature.

For those of you following along with the bug where we overwrite symlinks,
http://projects.puppetlabs.com/issues/650, you can't use this to ensure that
a given file is actually a symlink. Sorry.




> How can a non root / puppet user access the private key for func? I can't
> see any way to disable to rights and chattr-ing it makes puppet choke.
>
> Is there a better way I could be approaching this overall? sudoing as part
> of the check doesn't sound like fun to me.
>
> Thanks
>
> Chris
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>



-- 
Nigel Kersten
Product, Puppet Labs
@nigelkersten

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Reply via email to