In regard to: Re: [Puppet Users] New to Puppet -- why the puppet user,...:
Because standard systems administration practice is to rarely if ever
run anything at all as root.
When it doesn't require root, that's absolutely true. This relates to
the principle of least privilege.
However, the puppet agent that runs on each puppet client requires the
ability to make modifications to nearly everything about the client
system, all in an effort to enforce the state that the puppet server
has indicated that the client should be in.
I suppose you could do that using something like "sudo" or Solaris
RBAC, but you would end up granting so much access to the puppet agent
that you would essentially be running it as root anyway. There's
very little point going through that exercise for an agent that requires
unfettered access to the client system.
To answer the original question: there's a puppet user and group for
the very few things that do *not* require root: specifically, the puppet
master and components like Dashboard. They are, essentially, web
applications, and don't require any special privileges, so the PuppetLabs
folks wisely made them run as a non-privileged user (& group).
Note that if your puppet master is a client of itself (or some other
puppet master) then the puppet agent running there still needs to be
run as root. The agent enforces the state, which requires administrative
access. The master calculates the state, which doesn't.
Tim
--
Tim Mooney tim.moo...@ndsu.edu
Enterprise Computing & Infrastructure 701-231-1076 (Voice)
Room 242-J6, IACC Building 701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
