Hello-- It turns out I was overly cautious about changed ownership away from root. As long as you ensure the group owner is the puppet group, you can have mixed ownership for user.
My solution was to use the Setgid bit on all directories where puppet manifests are located and change the directories group ownership to the puppet group. I then place my regular user account into the puppet group and I edit puppet manifests as user, not as root. In effect, when I edit puppet manifests they will have ownership of pete:pe-puppet. When we do commits / checkouts from SVN they keep this same group ownership and function fine in Puppet runs. So the steps to make it work are: On the puppet directories, change group ownership to the puppet group, set the setgid bit and set file mode of rwx for group, e.g. as root: # chgrp -R pe-puppet /etc/puppetlabs/puppet/modules /etc/puppetlabs/puppet/manifests # chmod -R 2774 /etc/puppetlabs/puppet/modules /etc/puppetlabs/puppet/manifests Placing the setgid bit will make files keep a group ownership of pe-puppet. Then, add your regular user account to the puppet group, e.g. # usermod -G pe-puppet petec Do this for all uses who will edit puppet code and make sure that you edit puppet code and commit to Git using your regular user account, not as root. This setup has been working fine for us. I also setup 3 Puppet environments in this way (for dev, QA and prod) and propagate code between environments with SVN. — Pete On Oct 29, 2013, at 6:50 PM, Hyunil Shin <anyone.can.t...@gmail.com> wrote: > Hello.. > > I have the same problem with you, except that I am using Git. > Can you describe your solution in more details? > As you said that /etc/puppet has mixed ownership of root and pe-puppet, how > can you checkout puppet configuration from the svn with preserving permission > and ownership? > > > Thank you~ > > > On Tuesday, May 7, 2013 2:17:33 AM UTC+9, P Cornellio wrote: > That's correct, my concern is permissions/ownership changes inside > /etc/puppet on the master after doing commits/check-outs, especially when new > manifests are added on clients, outside of the master, then committed to the > repo and updated onto the master. Our master currently has mixed ownership > between both root and pe-puppet user. I will go with the approach of using > the pe-puppet user on the master. > > > On Monday, May 6, 2013 5:43:20 AM UTC-7, Bernardo Costa wrote: > I suppose your concerns are about the check-outs of the svn repo on the > puppet root direcctory, not about permissions and ownership inside the repo. > Once you do svn co command as your user (not recommended), the new files will > be created having being owned by you. It might fail if you user does not have > permission tho create or modify these files inside the puppet tree source > file. The best thing to do is run the svn co command as user puppet but > you'll need to set its password or a sudo set of commands. > > Em domingo, 5 de maio de 2013 00h58min18s UTC-3, P Cornellio escreveu: > Hi, > > I an in the process of putting my Puppet Master configs into version control > using SVN. I'm concerned about file permission and ownership changes as a > result of this. SVN does not store permissions. How does one safely use SVN > with puppet configs? > > Cheers, > > Pete -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/74B20F29-8FA7-4823-978E-26887954A209%40virginamerica.com. For more options, visit https://groups.google.com/groups/opt_out.
