hi Daniel,
thanks for your long explanation. Knowing this it actually makes sense what
puppet does :) , although it kind of crashes with our (brilliant) rights
management :) .
greetings!
Axel.
Am Dienstag, 11. September 2012 17:41:07 UTC+2 schrieb Daniel Pittman:
>
> On Tue, Sep 11, 2012 at 2:00 AM, Axel Bock
> <axel...@arbeitsagentur.de<javascript:>>
> wrote:
> >
> > I am trying to manage /etc/sysconfig/apache2 with puppet. Due to our
> > internal security guidelines I have only rw- rights on the file itself,
> but
> > not the directory it's in.
> >
> > Now this happens:
> > err: /Stage[main]/Bas3::Webserver/File[/etc/sysconfig/apache2]/content:
> > change from {md5}2f2fecac48d78829670ac6a6e1b0b280 to
> > {md5}eb3d9c635452cfa9be615f0412fc5e2d failed: Permission denied -
> > /etc/sysconfig/apache2.puppettmp_5605
> >
> > For me it's pretty obvious that puppet tries to actually create a temp
> file
> > in the directory /etc/sysconfig, which of course must fail. (Funnily I
> see
> > the diff output before, which is kind of interesting, because puppet
> seems
> > to actually use a temp file under /tmp/... for that - why not simply
> copy
> > this one over, which is permitted by the file system rights?)
>
> The answer to "why do it this way?" is simple:
>
> If we write directly over the file, or if we write to /tmp and then
> copy over the target file, there is a window when the system can crash
> and you have neither the old version or new version of the file. For
> larger files there is also a window where other processes can see a
> half-written file.
>
> Instead we write a temporary file and then use rename to replace it in
> one atomic rename - which is the Unix way to achieve this result.
>
> > Can anyone help me out here? It's not urgent, but somewhat annoying, and
> I
> > don't really get why this does not work.
>
> The semantics of Unix make it impractical to safely overwrite a file,
> and you can't perform an atomic rename across devices. That means
> that the only really safe bet is to use the same directory for
> temporary files.
>
> There isn't a switch to run in "please, risk data loss for me" mode or
> anything, so you would have to patch the core file type in Puppet to
> change this. (Which you probably don't want anyhow.)
>
> --
> Daniel Pittman
> ⎋ Puppet Labs Developer – http://puppetlabs.com
> ♲ Made with 100 percent post-consumer electrons
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/S8LY2eWVgdcJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
