Issue #16637 has been updated by Jeff McCune.
Status changed from Unreviewed to Accepted
Assignee deleted (Jeff McCune)
# History
Historically, we've gotten this "wrong" quite a few times when we've done major
and minor releases: ("this" being the selection of default path values relative
to the application mode and the effective UID of the process with nasty errors
rising up due to invalid permission.)
1. (#14609) - Wrong ssldir used when using 3.0rc1 packages under passenger
1. (#13588) - log dir is not permissioned properly
1. (#12494) - When cwd is invalid, puppet prints a stack trace
1. (#10914) - Fail to generate a fresh CA with 2.6.12 (if ssldir not in std.
location)
1. (#9862) - puppet 2.7 cannot run without puppet group on the system
1. (#7070) - Rack puppet master fails to start with Permission denied if $HOME
is not writable
1. (#7052) - Cert generation fails using "--ssldir"
1. (#6734) - root:root ownership on /var/lib/puppet breaks puppetmasterd
1. (#6256) - `/var/lib/puppet/rrd` not created
1. (#5303) - Puppet master fails when run as root due to inability to create
rrd directory
1. (#5530) - puppet master fails to create "$vardir/rrd"
1. (#4964) - wrong mode for directory /etc/puppet
1. (#4385) - vardir and confdir are set to '~' when running puppet master as
non-root user through Passenger
1. (#4253) - puppetmaster started in a non accessible directory for the puppet
user causing problems
1. (#4224) - vardir and confdir should be in ~/.puppet if not run as root
1. (#3922) - Backing up files by md5 and saving them "as user"
1. (#3236) - err: Could not retrieve catalog from remote server: No such file
or directory - /var/puppet/client_yaml/catalog
1. (#3121) - Issues running puppetmasterd as a genetic user
1. (#2705) - Fails to create reports for new nodes
1. (#2639) - Fail to store reports in simple default config
1. (#2626) - Unhelpful error message (unhelpful subject too.)
1. (#2519) - getcwd error when puppetmasterd is started from a directory where
puppet user has no rights
1. (#2500) - puppetmaster should not load certs when not running under webrick
1. (#2460) - ssl/private_keys ownership + Passenger
1. (#2095) - Changing the permissions of /etc/puppet/puppet.conf via puppet
crashes puppetmaster
1. (#1138) - /var/puppet/yaml not created until it's too late
1. (#985) - /usr/bin/puppetmasterd --mkusers fails
1. (#977) - Directory ownership of /var/puppet/run
1. (#816) - puppetmaster doesn't create "$vardir/facts" on startup
1. (#68) - puppetmasterd fails to create required directories
Yes, that's a two digit bug directly related to this issue. :/
----------------------------------------
Bug #16637: Puppet confdir and vardir are wrong when running non-root
https://projects.puppetlabs.com/issues/16637#change-72020
Author: Jeff McCune
Status: Accepted
Priority: Normal
Assignee:
Category: settings
Target version: 3.0.x
Affected Puppet version:
Keywords: telly settings defaults confdir vardir runmode run_mode master system
Branch:
# Overview
Puppet master should default to confdir of `~/.puppet` and vardir of
`~/.puppet/var` when running as non-root, instead defaults to `/etc/puppet` and
`/var/lib/puppet` respectively.
In Puppet 3.0.0, the semantics of the term, "configuration directory" (confdir)
are as follows:
1. If `confdir` is explicitly configured, this value wins.
2. If Puppet is running as root (or the OS equivalent) then use the system
configuration directory. (e.g. `/etc/puppet` for FOSS or
`/etc/puppetlabs/puppet` for PE)
3. In all other situations use `~/.puppet`
These semantics are no longer affected by the specific username when running
non-root, or the application being run (master, agent, etc...).
This is not actually the case in 3.0.0 though:
# Actual Behavior
<pre>
$ puppet master --verbose --no-daemonize
Error: Could not set 'directory' on ensure: Permission denied - /etc/puppet
Error: Could not set 'directory' on ensure: Permission denied -
/etc/puppetWrapped exception:
Permission denied - /etc/puppet
Error: /File[/etc/puppet]/ensure: change from absent to directory failed: Could
not set 'directory' on ensure: Permission denied - /etc/puppet
/File[/etc/puppet/var.master]: Dependency File[/etc/puppet] has failures: true
Warning: /File[/etc/puppet/var.master]: Skipping because of failed dependencies
/File[/etc/puppet/var.master/bucket]: Dependency File[/etc/puppet] has
failures: true
Warning: /File[/etc/puppet/var.master/bucket]: Skipping because of failed
dependencies
/File[/etc/puppet/var.master/log]: Dependency File[/etc/puppet] has failures:
true
Warning: /File[/etc/puppet/var.master/log]: Skipping because of failed
dependencies
/File[/etc/puppet/var.master/log/masterhttp.log]: Dependency File[/etc/puppet]
has failures: true
Warning: /File[/etc/puppet/var.master/log/masterhttp.log]: Skipping because of
failed dependencies
/File[/etc/puppet/var.master/yaml]: Dependency File[/etc/puppet] has failures:
true
Warning: /File[/etc/puppet/var.master/yaml]: Skipping because of failed
dependencies
/File[/etc/puppet/var.master/ssl]: Dependency File[/etc/puppet] has failures:
true
Warning: /File[/etc/puppet/var.master/ssl]: Skipping because of failed
dependencies
/File[/etc/puppet/var.master/ssl/public_keys]: Dependency File[/etc/puppet] has
failures: true
Warning: /File[/etc/puppet/var.master/ssl/public_keys]: Skipping because of
failed dependencies/File[/etc/puppet/var.master/lib]: Dependency
File[/etc/puppet] has failures: trueWarning: /File[/etc/puppet/var.master/lib]:
Skipping because of failed
dependencies/File[/etc/puppet/var.master/ssl/certificate_requests]: Dependency
File[/etc/puppet] has failures: true
Warning: /File[/etc/puppet/var.master/ssl/certificate_requests]: Skipping
because of failed dependencies/File[/etc/puppet/var.master/run]: Dependency
File[/etc/puppet] has failures: true
Warning: /File[/etc/puppet/var.master/run]: Skipping because of failed
dependencies/File[/etc/puppet/manifests]: Dependency File[/etc/puppet] has
failures: trueWarning: /File[/etc/puppet/manifests]: Skipping because of failed
dependencies
/File[/etc/puppet/var.master/ssl/private]: Dependency File[/etc/puppet] has
failures: true
Warning: /File[/etc/puppet/var.master/ssl/private]: Skipping because of failed
dependencies
/File[/etc/puppet/var.master/ssl/private_keys]: Dependency File[/etc/puppet]
has failures: true
Warning: /File[/etc/puppet/var.master/ssl/private_keys]: Skipping because of
failed dependencies
/File[/etc/puppet/var.master/rrd]: Dependency File[/etc/puppet] has failures:
true
Warning: /File[/etc/puppet/var.master/rrd]: Skipping because of failed
dependencies
/File[/etc/puppet/var.master/ssl/certs]: Dependency File[/etc/puppet] has
failures: true
Warning: /File[/etc/puppet/var.master/ssl/certs]: Skipping because of failed
dependencies
/File[/etc/puppet/var.master/reports]: Dependency File[/etc/puppet] has
failures: true
Warning: /File[/etc/puppet/var.master/reports]: Skipping because of failed
dependencies
/File[/etc/puppet/var.master/server_data]: Dependency File[/etc/puppet] has
failures: true
Warning: /File[/etc/puppet/var.master/server_data]: Skipping because of failed
dependencies
/File[/etc/puppet/var.master/state]: Dependency File[/etc/puppet] has failures:
true
Warning: /File[/etc/puppet/var.master/state]: Skipping because of failed
dependencies
Error: Could not prepare for execution: Got 3 failure(s) while initializing:
Could not set 'directory' on ensure: Permission denied - /etc/puppet; Could not
set 'directory' on ensure: Permission denied - /etc/puppet
Wrapped exception:
Permission denied - /etc/puppet; change from absent to directory failed: Could
not set 'directory' on ensure: Permission denied - /etc/puppet
</pre>
# Expected behavior
`confdir` and `vardir` should default to my home directory when run as non-root
user "jeff"
<pre>
$ puppet master --verbose --no-daemonize
Info: Creating a new SSL key for ca
Info: Creating a new SSL certificate request for ca
Info: Certificate Request fingerprint (SHA256):
E4:95:B1:A5:01:A5:07:80:0B:B7:C6:5E:C1:4F:58:EF:CD:FF:D3:DE:EC:30:EF:10:3C:92:53:91:7A:33:26:BC
Signed certificate request for ca
Rebuilding inventory file
Info: Creating a new certificate revocation list
Info: Creating a new SSL key for mccune.local
Info: Creating a new SSL certificate request for mccune.local
Info: Certificate Request fingerprint (SHA256):
A8:77:22:5A:D0:C8:89:69:8E:3B:38:7A:0B:43:E3:D7:AA:E8:7F:73:F3:DC:E6:E2:0C:E1:BA:23:41:ED:4B:CF
mccune.local has a waiting certificate request
Signed certificate request for mccune.local
Removing file Puppet::SSL::CertificateRequest mccune.local at
'/Users/jeff/.puppet/ssl/ca/requests/mccune.local.pem'
Removing file Puppet::SSL::CertificateRequest mccune.local at
'/Users/jeff/.puppet/ssl/certificate_requests/mccune.local.pem'
Starting Puppet master version 3.0.0
</pre>
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
