On Wed, May 25, 2011 at 7:11 AM, Chris Phillips <ch...@untrepid.com> wrote:
> Hi, > > I've successfully hooked up func to use the puppet certs, mostly nicely. > I'm now looking at using func to perform nagios checks (instead of > installing nrpe, which is more pants than func). Here the nagios service > runs as the nagios user, and so func also runs as that user, I thought I was > sorted but making the private key mode 640 so func could read the private as > the nagios user, but the puppet private key is always changed to mdoe 600 > then puppet runs. > You should be able to do this in your puppet.conf [agent] privatekeydir = /etc/puppet/ssl/private_keys { mode = 0750 } hostprivkey = /etc/puppet/ssl/private_keys/$certname.pem { mode = 0640 } and Puppet will ensure those permissions. There may be some edge cases here, as this isn't a widely used feature. For those of you following along with the bug where we overwrite symlinks, http://projects.puppetlabs.com/issues/650, you can't use this to ensure that a given file is actually a symlink. Sorry. > How can a non root / puppet user access the private key for func? I can't > see any way to disable to rights and chattr-ing it makes puppet choke. > > Is there a better way I could be approaching this overall? sudoing as part > of the check doesn't sound like fun to me. > > Thanks > > Chris > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- Nigel Kersten Product, Puppet Labs @nigelkersten -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.