Jira (PUP-8634) Chown of ssldir Causing Failures
Title: Message Title Josh Cooper commented on PUP-8634 Re: Chown of ssldir Causing Failures Following up on the comments. The presence of the puppet account determines whether puppet will set the owner/group to that user, as opposed to "am I a server or not". It sounds like things are working as expected now, so I'm going to close. this. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8634) Chown of ssldir Causing Failures
Title: Message Title Owen Rodabaugh updated an issue Puppet / PUP-8634 Chown of ssldir Causing Failures Change By: Owen Rodabaugh CS Priority: Needs Priority Minor CS Impact: Based on the comments in this ticket the behavior seems to be isolated to nodes upgrades from Puppet 3.x. Workarounds have been provided to either remove the puppet users and/or use the --manage_internal_file_permission=false setting in puppet.conf.While annoying this issue appears to have been resolved in puppet 4. CS Severity: 2 - Annoyance CS Business Value: 3 - CS Frequency: 1 - 1-5% of Customers Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Jira (PUP-8634) Chown of ssldir Causing Failures
Title: Message Title Josh Cooper commented on PUP-8634 Re: Chown of ssldir Causing Failures Daniel Mcilhagga Please confirm whether the above suggestions will resolve the issue. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8634) Chown of ssldir Causing Failures
Title: Message Title
Josh Cooper commented on PUP-8634
Re: Chown of ssldir Causing Failures
For security best-practices, the server process drops privileges to an unprivileged puppet service account. By default the service account is puppet:puppet for OSS and pe-puppet:pe-puppet for PE. The puppet server process (either webrick, passenger or puppetserver) shares the ssl private key and cert with its local puppet agent process, which runs as root. As a result, we set the owner and group for the ssldir to the service account. This behavior should only occur on the puppetserver nodes, not on agent-only nodes. Prior to puppet 4, the puppet package, would create the puppet service accounts. Starting in puppet 4 and up, the accounts are only created by the puppetserver package, since that is the only time they should be needed. However, the accounts may still exist if you installed puppet 3.x and upgraded. For this issue, I'd recommend deleting the puppet service accounts (user and group) from client machines. You can use puppet to do this, but you'll need to make it conditional so it doesn't delete the puppet user/group on the puppetserver host(s).
user { 'puppet':
ensure => absent
}
group { 'puppet':
ensure => absent
}
Another option is to set the puppet setting manage_internal_file_permissions=false on agents only, which will prevent puppet from managing the owner, group and mode of its internal files. However, you will need to chown the files back to root:root manually:
[root@dlm3vdrk977ay90 ~]# chown -R root:root /etc/puppetlabs/
Jira (PUP-8634) Chown of ssldir Causing Failures
Title: Message Title Adam Bottchen updated an issue Puppet / PUP-8634 Chown of ssldir Causing Failures Change By: Adam Bottchen CS Priority: Needs Priority Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8634) Chown of ssldir Causing Failures
Title: Message Title Geoff Nichols assigned an issue to Unassigned Puppet / PUP-8634 Chown of ssldir Causing Failures Change By: Geoff Nichols Assignee: Geoff Nichols Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8634) Chown of ssldir Causing Failures
Title: Message Title Daniel Mcilhagga assigned an issue to Geoff Nichols Puppet / PUP-8634 Chown of ssldir Causing Failures Change By: Daniel Mcilhagga Assignee: Daniel Mcilhagga Geoff Nichols Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8634) Chown of ssldir Causing Failures
Title: Message Title Geoff Nichols assigned an issue to Daniel Mcilhagga Puppet / PUP-8634 Chown of ssldir Causing Failures Change By: Geoff Nichols Assignee: Daniel Mcilhagga Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8634) Chown of ssldir Causing Failures
Title: Message Title Craig Gomes updated an issue Puppet / PUP-8634 Chown of ssldir Causing Failures Change By: Craig Gomes Team: Coremunity Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8634) Chown of ssldir Causing Failures
Title: Message Title Daniel Mcilhagga created an issue Puppet / PUP-8634 Chown of ssldir Causing Failures Issue Type: New Feature Assignee: Unassigned Created: 2018/04/06 1:01 AM Priority: Normal Reporter: Daniel Mcilhagga Currently Puppet as part of the install does a chown of the ssldir to puppet:puppet. A customer is currently asking if it is possible to disable this functionality. Below is a description of the customer's use case. "We only have a user called 'puppet' on a handful of our unix clients (relatively speaking - it is a few hundred), and for all other hosts the $ssldir is owned by root:root. We know why the GID isn't resolving (missing LDAP data) but as the use of a 'puppet' account on clients doesn't appear to gain us anything but causes the occasional agent installation failure (impacting our build automation) I wanted to look at preventing the chown operation during agent install." Add Comment
