On Thu, May 7, 2015 at 11:23 AM, jcf <[email protected]> wrote:
> > On May 6, 2015, at 22:32, Josh Cooper <[email protected]> wrote: > > On Wed, May 6, 2015 at 7:29 AM, Johnson Earls <[email protected]> > wrote: > >> never mind. puppet agent ignores the user/group config settings, so >> those should be kept at puppet, and ${::settings::user} / >> ${::settings::group} should not be used to configure agent-related options >> (such as file ownership). >> > > The `puppet` user and group are really server-side settings, to specify a > less privileged account to run the webrick/passenger/puppetserver process > as. > > > So, maybe there should be a test to see if the user even exists before > mass-chown’ing directories? > The file and directories I'm talking about are internal to puppet, e.g. ssldir. When managing them, puppet already takes into account whether the `puppet` user exists or not. > To confuse things, `puppet` packages (rpm/deb) have always created the > `puppet` user and group, but was unnecessary on the agent. In Puppet 4, we > have fixed this, so the puppet-agent package does not create a `puppet` > user or group. Only the puppetserver package does that. > > > So there is at least a dependency/ordering problem, at most an unchecked > firehose turned on to change permissions, and this should be considered a > bug. Also, this is playing pretty fast and loose with idempotence if this > can’t be configured around. > The behavior of how puppet manages its internal files has not changed for a long, long time. The only part that is different is which package creates the `puppet` user and group. What's the specific issue you're concerned about? On Tuesday, May 5, 2015 at 10:40:00 PM UTC-7, Johnson Earls wrote: >>> >>> I'm running into a frustrating issue, and I'm wondering if I'm just not >>> doing something right. >>> >>> My understanding is that the puppet agent has to run with the config >>> "user" and "group" set to "root" so that it can make changes to the system. >>> The puppet server, on the other hand, runs as user and group "puppet". >>> >>> However, every time the puppet agent activates, it changes the ownership >>> of *most* of the subdirectories and files within the >>> /etc/puppetlabs/puppet/ssl directory to root, which then prevents the >>> puppet server from either starting up or being able to sign certificates. >>> >> > In Puppet 4, you can get into this state if you install puppet-agent, and > run it at least once. Since the `puppet` user won't exist, the agent will > set permissions to `root:root:750` for file/directory-related settings like > `privatekeydir`. > > > Ouch. This violates the “principle of least surprise” at least two > different ways. > If the `puppet` user doesn't exist, we use secure defaults. > If you then install puppetserver, it will create the `puppet` user, start > the server as that user, and fail to start, because the puppet user can't > read `privatekeydir`, etc. However, as soon as you run `puppet agent` (or > `apply`) on the master, it will restore the permissions to `puppet:puppet` > and the puppetserver will start successfully. > > > So, if I started the components in the wrong order once, it now takes an > extra run to sort everything out, and doesn’t log it well enough to be > deciphered? Double-ouch. > In practice this happens rarely. Usually you install puppetserver, which brings in puppet-agent as a dependency. But if you do run into this issue, I recommend filing a ticket and even submitting a PR to update the puppetserver install logic. > >>> Am I misunderstanding how these two processes work and interact? >>> >>> Should the puppet agent run with the config user/group set to "puppet", >>> even though puppet won't have permission to make most of the changes on the >>> system? >>> Or should the puppet server run as root? >>> >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/3955db48-4062-460c-a8a4-0df405277afb%40googlegroups.com >> <https://groups.google.com/d/msgid/puppet-users/3955db48-4062-460c-a8a4-0df405277afb%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Josh Cooper > Developer, Puppet Labs > > *PuppetConf 2015 <http://2015.puppetconf.com/> is coming to Portland, > Oregon! Join us October 5-9.* > *Register now to take advantage of the Early Adopter discount > <https://www.eventbrite.com/e/puppetconf-2015-october-5-9-tickets-13115894995?discount=EarlyAdopter> > * > *—**save $349!* > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/CA%2Bu97unqBLmMMfqE%2BJQ_R8MguFntxD%3DHxynM0uuY-O9py-s%2B4Q%40mail.gmail.com > <https://groups.google.com/d/msgid/puppet-users/CA%2Bu97unqBLmMMfqE%2BJQ_R8MguFntxD%3DHxynM0uuY-O9py-s%2B4Q%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/015ABFFD-CD73-4F7A-9813-23B1F2217C20%40gmail.com > <https://groups.google.com/d/msgid/puppet-users/015ABFFD-CD73-4F7A-9813-23B1F2217C20%40gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- Josh Cooper Developer, Puppet Labs *PuppetConf 2015 <http://2015.puppetconf.com/> is coming to Portland, Oregon! Join us October 5-9.* *Register now to take advantage of the Early Adopter discount <https://www.eventbrite.com/e/puppetconf-2015-october-5-9-tickets-13115894995?discount=EarlyAdopter> * *—**save $349!* -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CA%2Bu97ukfseuiUkMCpAobSZ6-_VRfxic5tJ_2auK2LPjZkW7EUA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
