On Tue, Sep 11, 2012 at 2:00 AM, Axel Bock <axel.b...@arbeitsagentur.de> wrote:
>
> I am trying to manage /etc/sysconfig/apache2 with puppet. Due to our
> internal security guidelines I have only rw- rights on the file itself, but
> not the directory it's in.
>
> Now this happens:
> err: /Stage[main]/Bas3::Webserver/File[/etc/sysconfig/apache2]/content:
> change from {md5}2f2fecac48d78829670ac6a6e1b0b280 to
> {md5}eb3d9c635452cfa9be615f0412fc5e2d failed: Permission denied -
> /etc/sysconfig/apache2.puppettmp_5605
>
> For me it's pretty obvious that puppet tries to actually create a temp file
> in the directory /etc/sysconfig, which of course must fail. (Funnily I see
> the diff output before, which is kind of interesting, because puppet seems
> to actually use a temp file under /tmp/... for that - why not simply copy
> this one over, which is permitted by the file system rights?)The answer to "why do it this way?" is simple: If we write directly over the file, or if we write to /tmp and then copy over the target file, there is a window when the system can crash and you have neither the old version or new version of the file. For larger files there is also a window where other processes can see a half-written file. Instead we write a temporary file and then use rename to replace it in one atomic rename - which is the Unix way to achieve this result. > Can anyone help me out here? It's not urgent, but somewhat annoying, and I > don't really get why this does not work. The semantics of Unix make it impractical to safely overwrite a file, and you can't perform an atomic rename across devices. That means that the only really safe bet is to use the same directory for temporary files. There isn't a switch to run in "please, risk data loss for me" mode or anything, so you would have to patch the core file type in Puppet to change this. (Which you probably don't want anyhow.) -- Daniel Pittman ⎋ Puppet Labs Developer – http://puppetlabs.com ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
