No, when I do fresh checkouts the files are
664 petec pe-puppet site.pp
and directories will be
774 petec pe-puppet
Yes, petec is a member of pe-puppet group.
Setgid, or Set Group ID, will make the directory and files created within it
keep the ownership of the group you assign it instead of changing to the
primary group of the user who create files in it. It’s a good way to share
files among multiple users and allow them all to read/write the same files.
Directories generally are always executable, but this method is not meant to
make files within them executable as Puppet does not need that.
More of an example for this:
I want all members of group pe-puppet to be able to edit files in a directory,
so I set group owner to pe-puppet:
chgrp pe-puppet mydir
or
chown petec:pe-puppet mydir
We can use chmod to set the group id bit:
chmod g+s mydir
or, with numeric mode:
chmod 2774 mydir
After this the permissions of ‘mydir’ becomes:
drwxrwsr-- petec pe-puppet mydir
Now the special trick about this: when I, or another user creates a file or
directory under 'mydir’, it will have its group set as the group owner,
‘pe-puppet’ instead of the group of the user who creates it. So if another
user, johnc would do: mkdir mydir/newdir, it would look like:
drwxrwsr-- johnc pe-puppet newdir
And now both johnc and petec have rw access to newdir because we are both
members of ‘pe-puppet'. If johnc were to do the above without having the
setgid bit, the above permissions would instead be:
drwxrwsr-- johnc johnc newdir
Notice also the puppet daemon is in the pe-puppet group, so this approach
ensures it has unrestricted access to its files.
I like this method as it’s fairly simple once you get the concept, and allows
doing edits/commits/checkouts without becoming root. If you don’t have other
users editing puppet files this method may not be necessary.
Also, yes I do manage all the puppet directories this way, both
/etc/puppetlabs/puppet
and
/opt/puppet/share/puppet/modules
—
Pete
On Oct 30, 2013, at 6:47 PM, Hyunil Shin wrote:
> Thank you very much.
>
> I want to know more in your method.
>
> As result, anyway, when you do fresh checkout, the files are like
> 664 petec petec site.pp
> 664 petec petec x
> and petec is included in pe-puppet.
>
> Am I right?
>
> Also, I don't understand what setgid do.
> Does setgid affect only execution?
> I am not sure that modules and manifests need to be executed.
>
> You seem to manage only modules and manifests.
> I try to manage all the files under /etc/puppetlabs, so I wonder if your
> method can be applied.
>
>
> My current method is
> 1. default mv /etc/puppetlabs to [another place]
> 2. create symbolic link
> 3. git commit [another place]
> 4. as root, git push, pull
> This way, git pull does not modify permission and ownership.
> But, very dangerous when fresh checkout.
>
>
> Thank you.
>
>
> On Wed, Oct 30, 2013 at 1:41 PM, Pete Cornell
> wrote:
> Hello--
>
> It turns out I was overly cautious about changed ownership away from root.
> As long as you ensure the group owner is the puppet group, you can have mixed
> ownership for user.
>
> My solution was to use the Setgid bit on all directories where puppet
> manifests are located and change the directories group ownership to the
> puppet group. I then place my regular user account into the puppet group and
> I edit puppet manifests as user, not as root.
>
> In effect, when I edit puppet manifests they will have ownership of
> pete:pe-puppet. When we do commits / checkouts from SVN they keep this same
> group ownership and function fine in Puppet runs.
>
> So the steps to make it work are:
>
> On the puppet directories, change group ownership to the puppet group, set
> the setgid bit and set file mode of rwx for group,
>
> e.g. as root:
>
> # chgrp -R pe-puppet /etc/puppetlabs/puppet/modules
> /etc/puppetlabs/puppet/manifests
> # chmod -R 2774 /etc/puppetlabs/puppet/modules
> /etc/puppetlabs/puppet/manifests
>
> Placing the setgid bit will make files keep a group ownership of pe-puppet.
>
> Then, add your regular user account to the puppet group, e.g.
>
> # usermod -G pe-puppet petec
>
> Do this for all uses who will edit puppet code and make sure that you edit
> puppet code and commit to Git using your regular user account, not as root.
>
> This setup has been working fine for us. I also setup 3 Puppet environments
> in this way (for dev, QA and prod) and propagate code between environments
> with SVN.
>
> —
> Pete
>
>
>
> On Oct 29, 2013, at 6:50 PM, Hyunil Shin wrote:
>
>> Hello..
>>
>> I have the same problem with you, except that I am using Git.
>&