Issue #5300 has been updated by Nick Moffitt.
Peter Meier wrote:
> Could you add a `--debug` log with a minimal manifest? Are you able to
> reproduce this issue with a standalone setup? How does your manifest
> look like?
I'll need a little help getting a proper standalone setup, especially
with storedconfigs. Is there a good rundown of what to run and what to
include?
That said, the trouble seems to be that it thinks the options have
changed:
<pre>
notice:
/Stage[main]//Node[chocula.example.com]/Udldap::expiringsshkey[r...@crunchberry]/ssh_authorized_key[r...@crunchberry]/options:
options changed 'command="rsync --server --sender -pr .
/var/cache/stuff/hosts/crunchberry.example.com",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,from="192.168.1.94"'
to 'command="rsync --server --sender -pr .
/var/cache/stuff/hosts/crunchberry.example.com",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,from="192.168.1.94"'
debug: Finishing transaction 70303299594720
info: FileBucket adding /etc/ssh/user-authorized-keys/test as
{md5}f9ffb515e6ef94cad6e84efd5daec794
debug: Flushing ssh_authorized_key provider target
/etc/ssh/user-authorized-keys/test
notice:
/Stage[main]//Node[chocula.example.com]/Udldap::expiringsshkey[r...@booberry]/ssh_authorized_key[r...@booberry]/options:
options changed 'command="rsync --server --sender -pr .
/var/cache/stuff/hosts/booberry.example.com",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,from="192.168.1.93"'
to 'command="rsync --server --sender -pr .
/var/cache/stuff/hosts/booberry.example.com",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,from="192.168.1.93"'
debug: Flushing ssh_authorized_key provider target
/etc/ssh/user-authorized-keys/test
notice:
/Stage[main]/Stuff/Udldap::Exported::expiringsshkey[r...@chocula]/Udldap::expiringsshkey[r...@chocula]/ssh_authorized_key[r...@chocula]/options:
options changed 'command="rsync --server --sender -pr .
/var/cache/stuff/hosts/chocula.example.com",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,from="192.168.1.92"'
to 'command="rsync --server --sender -pr .
/var/cache/stuff/hosts/chocula.example.com",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,from="192.168.1.92"'
debug: Flushing ssh_authorized_key provider target
/etc/ssh/user-authorized-keys/test
</pre>
My options variable uses the facts for ipaddress and fqdn to fill in the
options. I've tried moving from sqlite to postgresql in the hopes that
this was caused by a deficiency in sqlite somehow.
I can re-run this on the "collecting" host (chocula), and it will insist
the options have changed for all three hosts even though only chocula
has reported in.
I'm using the expiring timestamps trick here, but the problem existed
without them.
An example of the export is:
<pre>
@@ssh_authorized_key { 't...@localhost':
key => $::the_key,
type => 'ssh-rsa',
user => 'test',
options => "command=\"rsync --server --sender -pr .
/var/cache/stuff/hosts/$::fqdn\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,from=\"$::ipaddress\"",
target => '/etc/ssh/user-authorized-keys/test',
require => Exec[make_key],
subscribe => Exec[make_key],
}
Ssh_authorized_key <<| |>>
</pre>
Where the key contents were coming from a custom fact that parsed out the
data dumped into the keyfile by the make_key Exec.
----------------------------------------
Bug #5300: Header in exported ssh_authorized_keys changes even when contents do
not
https://projects.puppetlabs.com/issues/5300
Author: Nick Moffitt
Status: Unreviewed
Priority: Normal
Assignee:
Category:
Target version:
Affected Puppet version:
Keywords:
Branch:
I'm using exported resources to collect ssh keys from custom facts and compile
a command-locked authorized_keys on a central machine. While investigating
some anomalies involving checksums in state.yaml for the exported
authorized_keys file, I noticed that the checksums for this file were unique to
a run. Setting a copy aside, I see:
<pre>
--- authorized_keys.old 2010-11-15 14:35:02.000000000 +0000
+++ authorized_keys 2010-11-15 14:35:09.000000000 +0000
@@ -1,4 +1,4 @@
-# HEADER: This file was autogenerated at Mon Nov 15 14:26:20 +0000 2010
+# HEADER: This file was autogenerated at Mon Nov 15 14:35:09 +0000 2010
# HEADER: by puppet. While it can still be managed manually, it
# HEADER: is definitely not recommended.
</pre>
This timestamp is causing a new copy of this file to appear in my filebuckets
on each run even though the rest of the file is unchanged. This has no upper
limit, and if the file were to grow significantly it could result in an
enormous amount of space being taken up.
It would appear that any provider that uses the parsedfile provider classes
gets this header, regardless of what comment delimiter the file uses. I'd
appreciate some way to turn this off, supply my own, or at least shut off that
timestamp. Ideally I suppose the exported resource ought not to re-generate it
if the only change would be that header.
The system collecting the authorized_keys file is puppet client at version
0.25.4-2ubuntu6 and puppet master at 2.6.1-0ubuntu2. Other clients are mostly
0.25.4-2ubuntu6 with a few 2.6.1-0ubuntu2 systems.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
