> On May 6, 2015, at 22:32, Josh Cooper <j...@puppetlabs.com> wrote: > > On Wed, May 6, 2015 at 7:29 AM, Johnson Earls <darkfoxpr...@gmail.com > <mailto:darkfoxpr...@gmail.com>> wrote: > never mind. puppet agent ignores the user/group config settings, so those > should be kept at puppet, and ${::settings::user} / ${::settings::group} > should not be used to configure agent-related options (such as file > ownership). > > The `puppet` user and group are really server-side settings, to specify a > less privileged account to run the webrick/passenger/puppetserver process as.
So, maybe there should be a test to see if the user even exists before mass-chown’ing directories? > To confuse things, `puppet` packages (rpm/deb) have always created the > `puppet` user and group, but was unnecessary on the agent. In Puppet 4, we > have fixed this, so the puppet-agent package does not create a `puppet` user > or group. Only the puppetserver package does that. So there is at least a dependency/ordering problem, at most an unchecked firehose turned on to change permissions, and this should be considered a bug. Also, this is playing pretty fast and loose with idempotence if this can’t be configured around. > On Tuesday, May 5, 2015 at 10:40:00 PM UTC-7, Johnson Earls wrote: > I'm running into a frustrating issue, and I'm wondering if I'm just not doing > something right. > > My understanding is that the puppet agent has to run with the config "user" > and "group" set to "root" so that it can make changes to the system. > The puppet server, on the other hand, runs as user and group "puppet". > > However, every time the puppet agent activates, it changes the ownership of > most of the subdirectories and files within the /etc/puppetlabs/puppet/ssl > directory to root, which then prevents the puppet server from either starting > up or being able to sign certificates. > > In Puppet 4, you can get into this state if you install puppet-agent, and run > it at least once. Since the `puppet` user won't exist, the agent will set > permissions to `root:root:750` for file/directory-related settings like > `privatekeydir`. Ouch. This violates the “principle of least surprise” at least two different ways. > If you then install puppetserver, it will create the `puppet` user, start the > server as that user, and fail to start, because the puppet user can't read > `privatekeydir`, etc. However, as soon as you run `puppet agent` (or `apply`) > on the master, it will restore the permissions to `puppet:puppet` and the > puppetserver will start successfully. So, if I started the components in the wrong order once, it now takes an extra run to sort everything out, and doesn’t log it well enough to be deciphered? Double-ouch. > > Am I misunderstanding how these two processes work and interact? > > Should the puppet agent run with the config user/group set to "puppet", even > though puppet won't have permission to make most of the changes on the system? > Or should the puppet server run as root? > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com > <mailto:puppet-users+unsubscr...@googlegroups.com>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/3955db48-4062-460c-a8a4-0df405277afb%40googlegroups.com > > <https://groups.google.com/d/msgid/puppet-users/3955db48-4062-460c-a8a4-0df405277afb%40googlegroups.com?utm_medium=email&utm_source=footer>. > > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. > > > > -- > Josh Cooper > Developer, Puppet Labs > > PuppetConf 2015 <http://2015.puppetconf.com/> is coming to Portland, Oregon! > Join us October 5-9. > Register now to take advantage of the Early Adopter discount > <https://www.eventbrite.com/e/puppetconf-2015-october-5-9-tickets-13115894995?discount=EarlyAdopter> > —save $349! > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com > <mailto:puppet-users+unsubscr...@googlegroups.com>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/CA%2Bu97unqBLmMMfqE%2BJQ_R8MguFntxD%3DHxynM0uuY-O9py-s%2B4Q%40mail.gmail.com > > <https://groups.google.com/d/msgid/puppet-users/CA%2Bu97unqBLmMMfqE%2BJQ_R8MguFntxD%3DHxynM0uuY-O9py-s%2B4Q%40mail.gmail.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/015ABFFD-CD73-4F7A-9813-23B1F2217C20%40gmail.com. For more options, visit https://groups.google.com/d/optout.
