On 7 January 2011 01:33, jcbollinger <john.bollin...@stjude.org> wrote:
> > On Jan 5, 8:39 pm, John Warburton <jwarbur...@gmail.com> wrote: > [...] > > Our own situation is that we have developers who build their own > > applications, and if we packaged them with RPM or pkg, then they would > have > > to be installed as root. We don't trust them enough for that, so right > now > > we run an exec as the application owner to unpack the tar.gz > > Like Doug, I don't quite follow that. Perhaps I misunderstand > "installed as root", because Puppet is already providing root > privileges for the installation. If you mean "installed as owned by > root" or "installed in <choose particular location>" then you are > mistaken: RPMs can easilly be built so that their files are installed > wherever you like and have whatever ownership and permissions you > like. > I probably wasn't clear, but what I meant was that rpm and pkgadd have to run as root, so we have to trust that the developers didn't do anything silly / naughty / destructive in the script areas, or overwrote into places like /bin. We don't have the resources right now to build them ourselves or audit such packages, so the least worst compromise (for us) was installing a tar ball with an exec being run as the application owner. If you are concerned about scriptlets in the RPM being run as root > then you can easily avoid that. Don't rely on the developers to > package their own software; instead take the tarballs they already > provide and package up all the contents in RPM form (without any > as above, we'd like to, but we just don't have the resources to do this right now > I try at all costs to avoid installing anything on my systems without > packaging it. That way I know what's (supposed to be) there, I can > > YMMV. > I agree, but we're in the early stages of large scale puppet deployment. Proper package management techniques for the outliers hopefully will come in the next iteration BTW for Solaris people, we use pkgbuild (http://pkgbuild.sourceforge.net/) which will automatically build a SVR4 pkg or IPS package from a RPM like SPEC file. It is pretty cool - it enforces that you don't build packages as root, and if you have your SPEC file created correctly does everything from downloading a tarball, configure, compile and packaging. Very nice, and is what the Open Solaris project uses Regards John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
