Issue #7144 has been updated by Matt Wise.
Apparently you do :). Here's the actual config from one of my hosts.
Additionally, the format is documented in the configuration doc on the website:
[root@fds103 log]# cat /etc/puppet/puppet.conf
#######################################################################################################################
# THIS FILE IS MANAGED BY PUPPET, DO NOT EDIT MANUALLY
#######################################################################################################################
[main]
# the server name of the main puppet server (used when doing 'puppet agent
-t', so you dont have to add --server)
server = puppet
# Where Puppet stores dynamic and growing data.
# The default value is '/var/puppet'.
vardir = /var/lib/puppet
# The Puppet log directory.
# The default value is '$vardir/log'.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
factpath = $vardir/lib/facter
# sync down any plugins necessary
pluginsync = true
# make sure we always generate a local graph
graph = true
# explicitly set the permissions of this tree to readable by anyone in the
puppet group
privatekeydir = /var/lib/puppet/ssl/private_keys { owner = service, group =
service, mode = 750 }
# The default value is '$privatekeydir/$certname.pem'.
hostprivkey = $privatekeydir/$certname.pem { owner = service, group =
service, mode = 640 }
[agent]
# do NOT listen on port 8139 for connections from clients
listen = false
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
report = true
reportfrom = puppet-reports
filetimeout = 0
environment = production
http://docs.puppetlabs.com/references/2.6.8/configuration.html#file-format
[main]
myfile = /tmp/whatever {owner = root, mode = 644}
----------------------------------------
Bug #7144: puppetd cannot create new private key if
hostprivatekey/privatekeydir have permissions configured in
/etc/puppet/puppet.conf
https://projects.puppetlabs.com/issues/7144
Author: Matt Wise
Status: Needs Decision
Priority: Normal
Assignee: Nigel Kersten
Category: SSL
Target version:
Affected Puppet version: 2.6.5
Keywords:
Branch:
Our servers set their puppet private keys with some unique permissions because
we use the keys for several purposes. This works fine once the keys are
created, but if we have to wipe the key dir and re-start on a node Puppet
complains unless we remove the lines from the puppet.conf. For example, here
are the lines in the puppet.conf that cause the problem:
+ # explicitly set the permissions of this tree to readable by anyone in the
puppet group
+ privatekeydir = /var/lib/puppet/ssl/private_keys { owner = service, group
= service, mode = 750 }
+
+ # The default value is '$privatekeydir/$certname.pem'.
+ hostprivkey = $privatekeydir/$certname.pem { owner = service, group =
service, mode = 640 }
With those lines in place, and the SSL directory wiped clean (ie, fresh
install):
Executing [/usr/bin/puppet agent --server puppet.mydomain.com -t
--detailed-exitcodes]
info: Creating a new SSL key for test.dc1.prod.mydomain.com
err: Could not request certificate: Could not write
/var/lib/puppet/ssl/private_keys/test.dc1.prod.mydomain.com.pem to
privatekeydir: can't convert String into Integer
Exiting; failed to retrieve certificate and waitforcert is disabled
Returned value: 1
This happens every single time. If we remove those lines from the config, the
puppet key generation works properly and the puppet run succeeds (which then
adds those lines back in to the config, which ultimately sets the proper
permissions on those files).
OS: CentOS 5.5
Puppet Version: 2.6.5
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
