Thank you very much.
I want to know more in your method.
As result, anyway, when you do fresh checkout, the files are like
664 petec petec site.pp
664 petec petec x
and petec is included in pe-puppet.
Am I right?
Also, I don't understand what setgid do.
Does setgid affect only execution?
I am not sure that modules and manifests need to be executed.
You seem to manage only modules and manifests.
I try to manage all the files under /etc/puppetlabs, so I wonder if your
method can be applied.
My current method is
1. default mv /etc/puppetlabs to [another place]
2. create symbolic link
3. git commit [another place]
4. as root, git push, pull
This way, git pull does not modify permission and ownership.
But, very dangerous when fresh checkout.
Thank you.
On Wed, Oct 30, 2013 at 1:41 PM, Pete Cornell
pete.corn...@virginamerica.com wrote:
Hello--
It turns out I was overly cautious about changed ownership away from root.
As long as you ensure the group owner is the puppet group, you can have
mixed ownership for user.
My solution was to use the Setgid bit on all directories where puppet
manifests are located and change the directories group ownership to the
puppet group. I then place my regular user account into the puppet group
and I edit puppet manifests as user, not as root.
In effect, when I edit puppet manifests they will have ownership of
pete:pe-puppet. When we do commits / checkouts from SVN they keep this same
group ownership and function fine in Puppet runs.
So the steps to make it work are:
On the puppet directories, change group ownership to the puppet group, set
the setgid bit and set file mode of rwx for group,
e.g. as root:
# chgrp -R
pe-puppet /etc/puppetlabs/puppet/modules /etc/puppetlabs/puppet/manifests
# chmod -R 2774 /etc/puppetlabs/puppet/modules
/etc/puppetlabs/puppet/manifests
Placing the setgid bit will make files keep a group ownership of pe-puppet.
Then, add your regular user account to the puppet group, e.g.
# usermod -G pe-puppet petec
Do this for all uses who will edit puppet code and make sure that you
edit puppet code and commit to Git using your regular user account, not as
root.
This setup has been working fine for us. I also setup 3 Puppet
environments in this way (for dev, QA and prod) and propagate code between
environments with SVN.
—
Pete
On Oct 29, 2013, at 6:50 PM, Hyunil Shin anyone.can.t...@gmail.com
wrote:
Hello..
I have the same problem with you, except that I am using Git.
Can you describe your solution in more details?
As you said that /etc/puppet has mixed ownership of root and pe-puppet,
how can you checkout puppet configuration from the svn with preserving
permission and ownership?
Thank you~
On Tuesday, May 7, 2013 2:17:33 AM UTC+9, P Cornellio wrote:
That's correct, my concern is permissions/ownership changes inside
/etc/puppet on the master after doing commits/check-outs, especially when
new manifests are added on clients, outside of the master, then committed
to the repo and updated onto the master. Our master currently has mixed
ownership between both root and pe-puppet user. I will go with the
approach of using the pe-puppet user on the master.
On Monday, May 6, 2013 5:43:20 AM UTC-7, Bernardo Costa wrote:
I suppose your concerns are about the check-outs of the svn repo on the
puppet root direcctory, not about permissions and ownership inside the
repo. Once you do svn co command as your user (not recommended), the new
files will be created having being owned by you. It might fail if you user
does not have permission tho create or modify these files inside the puppet
tree source file. The best thing to do is run the svn co command as user
puppet but you'll need to set its password or a sudo set of commands.
Em domingo, 5 de maio de 2013 00h58min18s UTC-3, P Cornellio escreveu:
Hi,
I an in the process of putting my Puppet Master configs into version
control using SVN. I'm concerned about file permission and ownership
changes as a result of this. SVN does not store permissions. How does one
safely use SVN with puppet configs?
Cheers,
Pete
--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAPCozZynVXNoh1c8M6%3Dc-w9zdEAtVXQOVWxJ2EdV3_a64tssDQ%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.
