Issue #16637 has been updated by Curtis Ruck.
The sheer lack of thought for existing puppetmaster users on this commit is frightening. This completely trashed my test environment. So, historically, puppet master runs as the user 'puppet' since it doesn't need root access. But Puppet master should keep its certs in a location outside of his $HOME so things like httpd/mod_passenger can access the certificates. By defaulting $confdir to ~/.puppet your hiding the certs by default and making getting mod_passenger/httpd working for puppetmaster that more difficult. ---------------------------------------- Bug #16637: Puppet confdir and vardir are wrong when running non-root https://projects.puppetlabs.com/issues/16637#change-73647 Author: Jeff McCune Status: Closed Priority: Normal Assignee: Category: settings Target version: 3.0.1 Affected Puppet version: 3.0.0 Keywords: telly settings defaults confdir vardir runmode run_mode master system Branch: https://github.com/puppetlabs/puppet/pull/1194 # Overview Puppet master should default to confdir of `~/.puppet` and vardir of `~/.puppet/var` when running as non-root, instead defaults to `/etc/puppet` and `/var/lib/puppet` respectively. In Puppet 3.0.0, the semantics of the term, "configuration directory" (confdir) are as follows: 1. If `confdir` is explicitly configured, this value wins. 2. If Puppet is running as root (or the OS equivalent) then use the system configuration directory. (e.g. `/etc/puppet` for FOSS or `/etc/puppetlabs/puppet` for PE) 3. In all other situations use `~/.puppet` These semantics are no longer affected by the specific username when running non-root, or the application being run (master, agent, etc...). This is not actually the case in 3.0.0 though: # Actual Behavior <pre> $ puppet master --verbose --no-daemonize Error: Could not set 'directory' on ensure: Permission denied - /etc/puppet Error: Could not set 'directory' on ensure: Permission denied - /etc/puppetWrapped exception: Permission denied - /etc/puppet Error: /File[/etc/puppet]/ensure: change from absent to directory failed: Could not set 'directory' on ensure: Permission denied - /etc/puppet /File[/etc/puppet/var.master]: Dependency File[/etc/puppet] has failures: true Warning: /File[/etc/puppet/var.master]: Skipping because of failed dependencies /File[/etc/puppet/var.master/bucket]: Dependency File[/etc/puppet] has failures: true Warning: /File[/etc/puppet/var.master/bucket]: Skipping because of failed dependencies /File[/etc/puppet/var.master/log]: Dependency File[/etc/puppet] has failures: true Warning: /File[/etc/puppet/var.master/log]: Skipping because of failed dependencies /File[/etc/puppet/var.master/log/masterhttp.log]: Dependency File[/etc/puppet] has failures: true Warning: /File[/etc/puppet/var.master/log/masterhttp.log]: Skipping because of failed dependencies /File[/etc/puppet/var.master/yaml]: Dependency File[/etc/puppet] has failures: true Warning: /File[/etc/puppet/var.master/yaml]: Skipping because of failed dependencies /File[/etc/puppet/var.master/ssl]: Dependency File[/etc/puppet] has failures: true Warning: /File[/etc/puppet/var.master/ssl]: Skipping because of failed dependencies /File[/etc/puppet/var.master/ssl/public_keys]: Dependency File[/etc/puppet] has failures: true Warning: /File[/etc/puppet/var.master/ssl/public_keys]: Skipping because of failed dependencies/File[/etc/puppet/var.master/lib]: Dependency File[/etc/puppet] has failures: trueWarning: /File[/etc/puppet/var.master/lib]: Skipping because of failed dependencies/File[/etc/puppet/var.master/ssl/certificate_requests]: Dependency File[/etc/puppet] has failures: true Warning: /File[/etc/puppet/var.master/ssl/certificate_requests]: Skipping because of failed dependencies/File[/etc/puppet/var.master/run]: Dependency File[/etc/puppet] has failures: true Warning: /File[/etc/puppet/var.master/run]: Skipping because of failed dependencies/File[/etc/puppet/manifests]: Dependency File[/etc/puppet] has failures: trueWarning: /File[/etc/puppet/manifests]: Skipping because of failed dependencies /File[/etc/puppet/var.master/ssl/private]: Dependency File[/etc/puppet] has failures: true Warning: /File[/etc/puppet/var.master/ssl/private]: Skipping because of failed dependencies /File[/etc/puppet/var.master/ssl/private_keys]: Dependency File[/etc/puppet] has failures: true Warning: /File[/etc/puppet/var.master/ssl/private_keys]: Skipping because of failed dependencies /File[/etc/puppet/var.master/rrd]: Dependency File[/etc/puppet] has failures: true Warning: /File[/etc/puppet/var.master/rrd]: Skipping because of failed dependencies /File[/etc/puppet/var.master/ssl/certs]: Dependency File[/etc/puppet] has failures: true Warning: /File[/etc/puppet/var.master/ssl/certs]: Skipping because of failed dependencies /File[/etc/puppet/var.master/reports]: Dependency File[/etc/puppet] has failures: true Warning: /File[/etc/puppet/var.master/reports]: Skipping because of failed dependencies /File[/etc/puppet/var.master/server_data]: Dependency File[/etc/puppet] has failures: true Warning: /File[/etc/puppet/var.master/server_data]: Skipping because of failed dependencies /File[/etc/puppet/var.master/state]: Dependency File[/etc/puppet] has failures: true Warning: /File[/etc/puppet/var.master/state]: Skipping because of failed dependencies Error: Could not prepare for execution: Got 3 failure(s) while initializing: Could not set 'directory' on ensure: Permission denied - /etc/puppet; Could not set 'directory' on ensure: Permission denied - /etc/puppet Wrapped exception: Permission denied - /etc/puppet; change from absent to directory failed: Could not set 'directory' on ensure: Permission denied - /etc/puppet </pre> # Expected behavior `confdir` and `vardir` should default to my home directory when run as non-root user "jeff" <pre> $ puppet master --verbose --no-daemonize Info: Creating a new SSL key for ca Info: Creating a new SSL certificate request for ca Info: Certificate Request fingerprint (SHA256): E4:95:B1:A5:01:A5:07:80:0B:B7:C6:5E:C1:4F:58:EF:CD:FF:D3:DE:EC:30:EF:10:3C:92:53:91:7A:33:26:BC Signed certificate request for ca Rebuilding inventory file Info: Creating a new certificate revocation list Info: Creating a new SSL key for mccune.local Info: Creating a new SSL certificate request for mccune.local Info: Certificate Request fingerprint (SHA256): A8:77:22:5A:D0:C8:89:69:8E:3B:38:7A:0B:43:E3:D7:AA:E8:7F:73:F3:DC:E6:E2:0C:E1:BA:23:41:ED:4B:CF mccune.local has a waiting certificate request Signed certificate request for mccune.local Removing file Puppet::SSL::CertificateRequest mccune.local at '/Users/jeff/.puppet/ssl/ca/requests/mccune.local.pem' Removing file Puppet::SSL::CertificateRequest mccune.local at '/Users/jeff/.puppet/ssl/certificate_requests/mccune.local.pem' Starting Puppet master version 3.0.0 </pre> -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
