Issue #13976 has been updated by Egon Kastelijn.
You are correct that our manifests/templates have a different group than the primary puppet group. We are running a normal Puppet master, without Passenger or Mongrel. The funny thing is that we updated to puppet-2.7.17-1.el5, and I am unable to reproduce the problem since then. I'll keep an eye on it, to see if the problem re-appears. ---------------------------------------- Bug #13976: PuppetMaster is unable to read manifest when manifest is not directly owned by user Puppet or from primary group Puppet https://projects.puppetlabs.com/issues/13976#change-68489 Author: Egon Kastelijn Status: Needs More Information Priority: Normal Assignee: Category: Target version: Affected Puppet version: Keywords: manifest rights user group Branch: When a manifest (or template) is owned by the userid 'puppet' or the groupid 'puppet' then the PuppetMaster proces can read the manifest just fine. But when the manifest has a userid, and a groupid that is not 'puppet' then the PuppetMaster process is unable to read the manifest. When I change my shell to the user 'puppet' (sudo -u puppet -i), under which the PuppetMaster process is running, then I can read the file nicely. This means that the OS and filesystem don't block the read-access to the file for the user 'puppet'. I think the PuppetMaster does some kind of extra check to see if it can read the manifest-file, but this check is not complete or wrong. I think it checks if the file is owned by the user 'puppet' and/or is readable by the group 'puppet', but it fails to check if the user 'puppet' is in a secondary group that also gives it read access to the manifest-file. $ ls -al website.rb -rw-rw---- 1 uav377 wsadmin 43598 Apr 12 17:44 website.rb $ $ getent group wsadmin wsadmin:x:9000:puppet $ A work-around, is to make the files world-readable, but this is not desirable as a permanent solution. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
