Here is a workaround for anyone else affected by the same issue, noting the
caveat is it will apply on every run -
class profile::puppetdb inherits puppetdb {
contain puppetdb
contain puppetdb::master::config
file {
$ssl_dir:
ensure => directory,
owner => $puppetdb_user,
group => $puppetdb_group,
mode => '0700';
$ssl_key_path:
ensure => file,
owner => $puppetdb_user,
group => $puppetdb_group,
mode => '0640';
$ssl_cert_path:
ensure => file,
owner => $puppetdb_user,
group => $puppetdb_group,
mode => '0644';
$ssl_ca_cert_path:
ensure => file,
owner => $puppetdb_user,
group => $puppetdb_group,
mode => '0644';
}
}
On Tuesday, February 2, 2021 at 10:00:43 AM UTC+11 comport3 wrote:
> Trying to fix the problem with "chattr +i *pem" results in Puppet breaking
> fairly spectacularly, output:
> ```
> Error: Failed to set owner to '998': Operation not permitted @ apply2files
> - /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
> Error:
> /File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]/owner:
>
> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998':
> Operation not permitted @ apply2files -
> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
> Error: Failed to set group to '998': Operation not permitted @ apply2files
> - /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
> Error:
> /File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]/group:
>
> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998':
> Operation not permitted @ apply2files -
> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem
> Error: Failed to set owner to '998': Operation not permitted @ apply2files
> - /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
> Error:
> /File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]/owner:
>
> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998':
> Operation not permitted @ apply2files -
> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
> Error: Failed to set group to '998': Operation not permitted @ apply2files
> - /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
> Error:
> /File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]/group:
>
> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998':
> Operation not permitted @ apply2files -
> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem
> Error: Failed to set owner to '998': Operation not permitted @ apply2files
> - /etc/puppetlabs/puppet/ssl/certs/ca.pem
> Error: /File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]/owner: change from
> 'puppetdb' to 'puppet' failed: Failed to set owner to '998': Operation not
> permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
> Error: Failed to set group to '998': Operation not permitted @ apply2files
> - /etc/puppetlabs/puppet/ssl/certs/ca.pem
> Error: /File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]/group: change from
> 'puppetdb' to 'puppet' failed: Failed to set group to '998': Operation not
> permitted @ apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
> Error: Could not prepare for execution: Got 3 failure(s) while
> initializing:
> File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]:
> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998':
> Operation not permitted @ apply2files -
> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem;
> File[/etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem]:
> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998':
> Operation not permitted @ apply2files -
> /etc/puppetlabs/puppet/ssl/certs/puppetserver1.domain.example.pem;
> File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]:
>
> change from 'puppetdb' to 'puppet' failed: Failed to set owner to '998':
> Operation not permitted @ apply2files -
> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem;
> File[/etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem]:
>
> change from 'puppetdb' to 'puppet' failed: Failed to set group to '998':
> Operation not permitted @ apply2files -
> /etc/puppetlabs/puppet/ssl/private_keys/puppetserver1.domain.example.pem;
> File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]: change from 'puppetdb' to
> 'puppet' failed: Failed to set owner to '998': Operation not permitted @
> apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem;
> File[/etc/puppetlabs/puppet/ssl/certs/ca.pem]: change from 'puppetdb' to
> 'puppet' failed: Failed to set group to '998': Operation not permitted @
> apply2files - /etc/puppetlabs/puppet/ssl/certs/ca.pem
> ```
>
> On Monday, February 1, 2021 at 1:35:02 PM UTC+11 comport3 wrote:
>
>>
>> It seems the puppet agent, when invoked by the service or manually, is
>> resetting the permissions on the files in the puppetdb ssldir
>> (/etc/puppetlabs/puppetdb/ssl/*.pem) from puppetdb:puppetdb to
>> puppet:puppet AND the mode on the
>> mode on the 'private.pem' file to 0640, which means the next time the
>> puppetdb service attempts to start, it fails due to a lack of permission.
>>
>> This only seems to have come up in the past week or so, as we've only
>> just started observing it, and causing problems. We have a temporary
>> workaround where we chown the files back to puppetdb, start PuppetDB and
>> that's fine, but next puppet agent invocation causes the above issue.
>>
>> Has anyone else observed this problem? Is it a bug?
>>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/ffea35f9-2cc0-4cef-be66-525ed17d08a7n%40googlegroups.com.
