Issue #5301 has been reported by Nick Moffitt.
----------------------------------------
Bug #5301: state.yaml contains outdated checksums for exported
ssh_authorized_keys file
https://projects.puppetlabs.com/issues/5301
Author: Nick Moffitt
Status: Unreviewed
Priority: Normal
Assignee:
Category:
Target version:
Affected Puppet version:
Keywords:
Branch:
I have found what I believe to be incorrect checksums in state.yaml.
My ultimate goal is to create a "stop the line" sort of system: if someone has
manually edited a puppet-managed file, the next catalog collection will grind
to a halt and alerting systems will send out notifications. To this end, I
have done the following:
<ul>
<li> I have a custom fact that parses state.yaml into a format
suitable for being fed into md5sum -c, and returns true if any
of the checksums fail.
<li> I have a module that calls fail() if the custom fact is true.
</ul>
This system actually works rather well, I find. My problem is that I have an
exported resource to allow ssh triggering of commands on a central machine from
a set of other machines:
<pre>
@@ssh_authorized_key { "u...@$hostname":
key => $user_rsa_key,
type => 'ssh-rsa',
user => 'foo',
options =>
"command=\"...\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,from=\"$ipaddress\"",
}
</pre>
And then:
<pre>
node 'central.example.com' {
# Create the authkeys file automatically
Ssh_authorized_key <<| user == "foo" |>>
}
</pre>
The entry for /home/foo/.ssh/authorized_keys in state.yaml causes my md5sum
system to fail every time. Upon inspection, I note that the entry in
state.yaml is exactly one revision out of date!
<pre>
# md5sum /home/foo/.ssh/authorized_keys; puppetd --environment=staging
-t | grep 'checksum changed'; md5sum /home/foo/.ssh/authorized_keys
fc9e4d3f84f99cff14a16dbe20f0db70 /home/foo/.ssh/authorized_keys
notice:
/Stage[main]//Node[central.example.com]/File[/home/foo/.ssh/authorized_keys]/checksum:
checksum changed '{md5}7c2a499471221f2511afde8e2ca3c329' to
'{md5}fc9e4d3f84f99cff14a16dbe20f0db70'
8492d19fb29b15d52c916a8d60c4b55c /home/foo/.ssh/authorized_keys
</pre>
And then in state.yaml:
<pre>
File[/home/foo/.ssh/authorized_keys]:
:checked: 2010-11-15 12:52:54.896678 +00:00
:checksums:
:md5: "{md5}fc9e4d3f84f99cff14a16dbe20f0db70"
:synced: 2010-11-15 12:52:54.899011 +00:00
</pre>
Shouldn't the system have noticed a change from
<code>{md5}fc9e4d3f84f99cff14a16dbe20f0db70</code> to
<code>{md5}8492d19fb29b15d52c916a8d60c4b55c</code> there?
My puppetmaster is running 2.6.1-0ubuntu2 and central.example.com is running
0.25.4-2ubuntu6 (as are most of the other puppet clients, the remainder running
the same as the master).
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
