Issue #5301 has been updated by Nigel Kersten. Assignee deleted (Nigel Kersten)
This is high until we can investigate whether or not this is a problem in general, or just with the given ssh key type. If it's the former, it's high. If it's the latter, it's low. ---------------------------------------- Bug #5301: state.yaml contains outdated checksums for exported ssh_authorized_keys file https://projects.puppetlabs.com/issues/5301 Author: Nick Moffitt Status: Investigating Priority: High Assignee: Category: exported resources Target version: 2.6.5 Affected Puppet version: 2.6.1 Keywords: iteration_2010-12-01 Branch: I have found what I believe to be incorrect checksums in state.yaml. My ultimate goal is to create a "stop the line" sort of system: if someone has manually edited a puppet-managed file, the next catalog collection will grind to a halt and alerting systems will send out notifications. To this end, I have done the following: <ul> <li> I have a custom fact that parses state.yaml into a format suitable for being fed into md5sum -c, and returns true if any of the checksums fail. <li> I have a module that calls fail() if the custom fact is true. </ul> This system actually works rather well, I find. My problem is that I have an exported resource to allow ssh triggering of commands on a central machine from a set of other machines: <pre> @@ssh_authorized_key { "u...@$hostname": key => $user_rsa_key, type => 'ssh-rsa', user => 'foo', options => "command=\"...\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,from=\"$ipaddress\"", } </pre> And then: <pre> node 'central.example.com' { # Create the authkeys file automatically Ssh_authorized_key <<| user == "foo" |>> } </pre> The entry for /home/foo/.ssh/authorized_keys in state.yaml causes my md5sum system to fail every time. Upon inspection, I note that the entry in state.yaml is exactly one revision out of date! <pre> # md5sum /home/foo/.ssh/authorized_keys; puppetd --environment=staging -t | grep 'checksum changed'; md5sum /home/foo/.ssh/authorized_keys fc9e4d3f84f99cff14a16dbe20f0db70 /home/foo/.ssh/authorized_keys notice: /Stage[main]//Node[central.example.com]/File[/home/foo/.ssh/authorized_keys]/checksum: checksum changed '{md5}7c2a499471221f2511afde8e2ca3c329' to '{md5}fc9e4d3f84f99cff14a16dbe20f0db70' 8492d19fb29b15d52c916a8d60c4b55c /home/foo/.ssh/authorized_keys </pre> And then in state.yaml: <pre> File[/home/foo/.ssh/authorized_keys]: :checked: 2010-11-15 12:52:54.896678 +00:00 :checksums: :md5: "{md5}fc9e4d3f84f99cff14a16dbe20f0db70" :synced: 2010-11-15 12:52:54.899011 +00:00 </pre> Shouldn't the system have noticed a change from <code>{md5}fc9e4d3f84f99cff14a16dbe20f0db70</code> to <code>{md5}8492d19fb29b15d52c916a8d60c4b55c</code> there? My puppetmaster is running 2.6.1-0ubuntu2 and central.example.com is running 0.25.4-2ubuntu6 (as are most of the other puppet clients, the remainder running the same as the master). -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
