Issue #5301 has been updated by Nigel Kersten.
Nick, we're actually looking at reinventing the way the audit metaparameter works, as it's not only a bit buggy, but isn't really as useful as it should be. One of the things we're looking at doing is no longer having the client show the diff between audit output in state.yaml, but for it to simply collect that information, and submit it as part of the normal report. Is that going to fit into your desired goals? ---------------------------------------- Bug #5301: state.yaml contains outdated checksums for exported ssh_authorized_keys file https://projects.puppetlabs.com/issues/5301 Author: Nick Moffitt Status: Investigating Priority: High Assignee: Nigel Kersten Category: exported resources Target version: Affected Puppet version: 2.6.1 Keywords: Branch: I have found what I believe to be incorrect checksums in state.yaml. My ultimate goal is to create a "stop the line" sort of system: if someone has manually edited a puppet-managed file, the next catalog collection will grind to a halt and alerting systems will send out notifications. To this end, I have done the following: <ul> <li> I have a custom fact that parses state.yaml into a format suitable for being fed into md5sum -c, and returns true if any of the checksums fail. <li> I have a module that calls fail() if the custom fact is true. </ul> This system actually works rather well, I find. My problem is that I have an exported resource to allow ssh triggering of commands on a central machine from a set of other machines: <pre> @@ssh_authorized_key { "u...@$hostname": key => $user_rsa_key, type => 'ssh-rsa', user => 'foo', options => "command=\"...\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,from=\"$ipaddress\"", } </pre> And then: <pre> node 'central.example.com' { # Create the authkeys file automatically Ssh_authorized_key <<| user == "foo" |>> } </pre> The entry for /home/foo/.ssh/authorized_keys in state.yaml causes my md5sum system to fail every time. Upon inspection, I note that the entry in state.yaml is exactly one revision out of date! <pre> # md5sum /home/foo/.ssh/authorized_keys; puppetd --environment=staging -t | grep 'checksum changed'; md5sum /home/foo/.ssh/authorized_keys fc9e4d3f84f99cff14a16dbe20f0db70 /home/foo/.ssh/authorized_keys notice: /Stage[main]//Node[central.example.com]/File[/home/foo/.ssh/authorized_keys]/checksum: checksum changed '{md5}7c2a499471221f2511afde8e2ca3c329' to '{md5}fc9e4d3f84f99cff14a16dbe20f0db70' 8492d19fb29b15d52c916a8d60c4b55c /home/foo/.ssh/authorized_keys </pre> And then in state.yaml: <pre> File[/home/foo/.ssh/authorized_keys]: :checked: 2010-11-15 12:52:54.896678 +00:00 :checksums: :md5: "{md5}fc9e4d3f84f99cff14a16dbe20f0db70" :synced: 2010-11-15 12:52:54.899011 +00:00 </pre> Shouldn't the system have noticed a change from <code>{md5}fc9e4d3f84f99cff14a16dbe20f0db70</code> to <code>{md5}8492d19fb29b15d52c916a8d60c4b55c</code> there? My puppetmaster is running 2.6.1-0ubuntu2 and central.example.com is running 0.25.4-2ubuntu6 (as are most of the other puppet clients, the remainder running the same as the master). -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
