On Thu, May 7, 2015 at 11:23 AM, jcf <joshua.fiel...@gmail.com> wrote:
>
> On May 6, 2015, at 22:32, Josh Cooper <j...@puppetlabs.com> wrote:
>
> On Wed, May 6, 2015 at 7:29 AM, Johnson Earls <darkfoxpr...@gmail.com>
> wrote:
>
>> never mind. puppet agent ignores the user/group config settings, so
>> those should be kept at puppet, and ${::settings::user} /
>> ${::settings::group} should not be used to configure agent-related options
>> (such as file ownership).
>>
>
> The `puppet` user and group are really server-side settings, to specify a
> less privileged account to run the webrick/passenger/puppetserver process
> as.
>
>
> So, maybe there should be a test to see if the user even exists before
> mass-chown’ing directories?
>
The file and directories I'm talking about are internal to puppet, e.g.
ssldir. When managing them, puppet already takes into account whether the
`puppet` user exists or not.
> To confuse things, `puppet` packages (rpm/deb) have always created the
> `puppet` user and group, but was unnecessary on the agent. In Puppet 4, we
> have fixed this, so the puppet-agent package does not create a `puppet`
> user or group. Only the puppetserver package does that.
>
>
> So there is at least a dependency/ordering problem, at most an unchecked
> firehose turned on to change permissions, and this should be considered a
> bug. Also, this is playing pretty fast and loose with idempotence if this
> can’t be configured around.
>
The behavior of how puppet manages its internal files has not changed for a
long, long time. The only part that is different is which package creates
the `puppet` user and group.
What's the specific issue you're concerned about?
On Tuesday, May 5, 2015 at 10:40:00 PM UTC-7, Johnson Earls wrote:
>>>
>>> I'm running into a frustrating issue, and I'm wondering if I'm just not
>>> doing something right.
>>>
>>> My understanding is that the puppet agent has to run with the config
>>> "user" and "group" set to "root" so that it can make changes to the system.
>>> The puppet server, on the other hand, runs as user and group "puppet".
>>>
>>> However, every time the puppet agent activates, it changes the ownership
>>> of *most* of the subdirectories and files within the
>>> /etc/puppetlabs/puppet/ssl directory to root, which then prevents the
>>> puppet server from either starting up or being able to sign certificates.
>>>
>>
> In Puppet 4, you can get into this state if you install puppet-agent, and
> run it at least once. Since the `puppet` user won't exist, the agent will
> set permissions to `root:root:750` for file/directory-related settings like
> `privatekeydir`.
>
>
> Ouch. This violates the “principle of least surprise” at least two
> different ways.
>
If the `puppet` user doesn't exist, we use secure defaults.
> If you then install puppetserver, it will create the `puppet` user, start
> the server as that user, and fail to start, because the puppet user can't
> read `privatekeydir`, etc. However, as soon as you run `puppet agent` (or
> `apply`) on the master, it will restore the permissions to `puppet:puppet`
> and the puppetserver will start successfully.
>
>
> So, if I started the components in the wrong order once, it now takes an
> extra run to sort everything out, and doesn’t log it well enough to be
> deciphered? Double-ouch.
>
In practice this happens rarely. Usually you install puppetserver, which
brings in puppet-agent as a dependency.
But if you do run into this issue, I recommend filing a ticket and even
submitting a PR to update the puppetserver install logic.
>
>>> Am I misunderstanding how these two processes work and interact?
>>>
>>> Should the puppet agent run with the config user/group set to "puppet",
>>> even though puppet won't have permission to make most of the changes on the
>>> system?
>>> Or should the puppet server run as root?
>>>
>>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to puppet-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/3955db48-4062-460c-a8a4-0df405277afb%40googlegroups.com
>> <https://groups.google.com/d/msgid/puppet-users/3955db48-4062-460c-a8a4-0df405277afb%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> --
> Josh Cooper
> Developer, Puppet Labs
>
> *PuppetConf 2015 <http://2015.puppetconf.com/> is coming to Portland,
> Oregon! Join us October 5-9.*
> *Register now to take advantage of the Early Adopter discount
> <https://www.eventbrite.com/e/puppetconf-2015-october-5-9-tickets-13115894995?discount=EarlyAdopter>
> *
> *—**save $349!*
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CA%2Bu97unqBLmMMfqE%2BJQ_R8MguFntxD%3DHxynM0uuY-O9py-s%2B4Q%40mail.gmail.com
> <https://groups.google.com/d/msgid/puppet-users/CA%2Bu97unqBLmMMfqE%2BJQ_R8MguFntxD%3DHxynM0uuY-O9py-s%2B4Q%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/015ABFFD-CD73-4F7A-9813-23B1F2217C20%40gmail.com
> <https://groups.google.com/d/msgid/puppet-users/015ABFFD-CD73-4F7A-9813-23B1F2217C20%40gmail.com?utm_medium=email&utm_source=footer>
> .
>
> For more options, visit https://groups.google.com/d/optout.
>
--
Josh Cooper
Developer, Puppet Labs
*PuppetConf 2015 <http://2015.puppetconf.com/> is coming to Portland,
Oregon! Join us October 5-9.*
*Register now to take advantage of the Early Adopter discount
<https://www.eventbrite.com/e/puppetconf-2015-october-5-9-tickets-13115894995?discount=EarlyAdopter>
*
*—**save $349!*
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CA%2Bu97ukfseuiUkMCpAobSZ6-_VRfxic5tJ_2auK2LPjZkW7EUA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
