Issue #16637 has been updated by Jeff McCune.
Curtis Ruck wrote:
> So looking at my issues deeper...
>
> I am using a puppet manifest to build my puppet master (for production). So
> my steps currently are creating the two sets of certificates (including CAs).
>
> 1) su - puppet -s /bin/bash -c "puppet master --no-daemonize -v"
Ah, I think I see your problem. When you start Puppet as non-root, it's going
to use the $HOME directory of the puppet user instead of the system wide
`$vardir`.
I think if you change your script to be something like this, you should be OK.
But remember, you're going to have to make sure the puppet user is able to
write into the system directories.
# These run as root, so they'll return the system directories:
confdir="$(puppet master --configprint confdir)"
vardir="$(puppet master --configprint vardir)"
# Have the non-root process use the system directories
# instead of the default personal directories:
su - puppet -s /bin/bash -c "puppet master --confdir='${confdir}'
--vardir='${vardir}' --no-daemonize -v"
> 2) puppet apply /etc/puppet/manifests/build.pp
>
> In Step 1, it generates the /var/lib/puppet/.puppet/ssl directory.
> In Step 2, it generates the /var/lib/puppet/ssl directory.
>
> I can't seem to get #2 to not generate its own CA and certificates.
Step 1 is running as non-root so it has different default directories than Step
2, which _is_ running as root. I think you just need to make these two steps
match up. You could either run them both as the same effective UID, or
explicitly set `confdir` and `vardir` on one or both to match up with the other.
Hope this helps,
-Jeff
----------------------------------------
Bug #16637: Puppet confdir and vardir are wrong when running non-root
https://projects.puppetlabs.com/issues/16637#change-75524
Author: Jeff McCune
Status: Closed
Priority: Normal
Assignee:
Category: settings
Target version: 3.0.0
Affected Puppet version: 3.0.0
Keywords: telly settings defaults confdir vardir runmode run_mode master system
Branch: https://github.com/puppetlabs/puppet/pull/1194
# Overview
Puppet master should default to confdir of `~/.puppet` and vardir of
`~/.puppet/var` when running as non-root, instead defaults to `/etc/puppet` and
`/var/lib/puppet` respectively.
In Puppet 3.0.0, the semantics of the term, "configuration directory" (confdir)
are as follows:
1. If `confdir` is explicitly configured, this value wins.
2. If Puppet is running as root (or the OS equivalent) then use the system
configuration directory. (e.g. `/etc/puppet` for FOSS or
`/etc/puppetlabs/puppet` for PE)
3. In all other situations use `~/.puppet`
These semantics are no longer affected by the specific username when running
non-root, or the application being run (master, agent, etc...).
This is not actually the case in 3.0.0 though:
# Actual Behavior
<pre>
$ puppet master --verbose --no-daemonize
Error: Could not set 'directory' on ensure: Permission denied - /etc/puppet
Error: Could not set 'directory' on ensure: Permission denied -
/etc/puppetWrapped exception:
Permission denied - /etc/puppet
Error: /File[/etc/puppet]/ensure: change from absent to directory failed: Could
not set 'directory' on ensure: Permission denied - /etc/puppet
/File[/etc/puppet/var.master]: Dependency File[/etc/puppet] has failures: true
Warning: /File[/etc/puppet/var.master]: Skipping because of failed dependencies
/File[/etc/puppet/var.master/bucket]: Dependency File[/etc/puppet] has
failures: true
Warning: /File[/etc/puppet/var.master/bucket]: Skipping because of failed
dependencies
/File[/etc/puppet/var.master/log]: Dependency File[/etc/puppet] has failures:
true
Warning: /File[/etc/puppet/var.master/log]: Skipping because of failed
dependencies
/File[/etc/puppet/var.master/log/masterhttp.log]: Dependency File[/etc/puppet]
has failures: true
Warning: /File[/etc/puppet/var.master/log/masterhttp.log]: Skipping because of
failed dependencies
/File[/etc/puppet/var.master/yaml]: Dependency File[/etc/puppet] has failures:
true
Warning: /File[/etc/puppet/var.master/yaml]: Skipping because of failed
dependencies
/File[/etc/puppet/var.master/ssl]: Dependency File[/etc/puppet] has failures:
true
Warning: /File[/etc/puppet/var.master/ssl]: Skipping because of failed
dependencies
/File[/etc/puppet/var.master/ssl/public_keys]: Dependency File[/etc/puppet] has
failures: true
Warning: /File[/etc/puppet/var.master/ssl/public_keys]: Skipping because of
failed dependencies/File[/etc/puppet/var.master/lib]: Dependency
File[/etc/puppet] has failures: trueWarning: /File[/etc/puppet/var.master/lib]:
Skipping because of failed
dependencies/File[/etc/puppet/var.master/ssl/certificate_requests]: Dependency
File[/etc/puppet] has failures: true
Warning: /File[/etc/puppet/var.master/ssl/certificate_requests]: Skipping
because of failed dependencies/File[/etc/puppet/var.master/run]: Dependency
File[/etc/puppet] has failures: true
Warning: /File[/etc/puppet/var.master/run]: Skipping because of failed
dependencies/File[/etc/puppet/manifests]: Dependency File[/etc/puppet] has
failures: trueWarning: /File[/etc/puppet/manifests]: Skipping because of failed
dependencies
/File[/etc/puppet/var.master/ssl/private]: Dependency File[/etc/puppet] has
failures: true
Warning: /File[/etc/puppet/var.master/ssl/private]: Skipping because of failed
dependencies
/File[/etc/puppet/var.master/ssl/private_keys]: Dependency File[/etc/puppet]
has failures: true
Warning: /File[/etc/puppet/var.master/ssl/private_keys]: Skipping because of
failed dependencies
/File[/etc/puppet/var.master/rrd]: Dependency File[/etc/puppet] has failures:
true
Warning: /File[/etc/puppet/var.master/rrd]: Skipping because of failed
dependencies
/File[/etc/puppet/var.master/ssl/certs]: Dependency File[/etc/puppet] has
failures: true
Warning: /File[/etc/puppet/var.master/ssl/certs]: Skipping because of failed
dependencies
/File[/etc/puppet/var.master/reports]: Dependency File[/etc/puppet] has
failures: true
Warning: /File[/etc/puppet/var.master/reports]: Skipping because of failed
dependencies
/File[/etc/puppet/var.master/server_data]: Dependency File[/etc/puppet] has
failures: true
Warning: /File[/etc/puppet/var.master/server_data]: Skipping because of failed
dependencies
/File[/etc/puppet/var.master/state]: Dependency File[/etc/puppet] has failures:
true
Warning: /File[/etc/puppet/var.master/state]: Skipping because of failed
dependencies
Error: Could not prepare for execution: Got 3 failure(s) while initializing:
Could not set 'directory' on ensure: Permission denied - /etc/puppet; Could not
set 'directory' on ensure: Permission denied - /etc/puppet
Wrapped exception:
Permission denied - /etc/puppet; change from absent to directory failed: Could
not set 'directory' on ensure: Permission denied - /etc/puppet
</pre>
# Expected behavior
`confdir` and `vardir` should default to my home directory when run as non-root
user "jeff"
<pre>
$ puppet master --verbose --no-daemonize
Info: Creating a new SSL key for ca
Info: Creating a new SSL certificate request for ca
Info: Certificate Request fingerprint (SHA256):
E4:95:B1:A5:01:A5:07:80:0B:B7:C6:5E:C1:4F:58:EF:CD:FF:D3:DE:EC:30:EF:10:3C:92:53:91:7A:33:26:BC
Signed certificate request for ca
Rebuilding inventory file
Info: Creating a new certificate revocation list
Info: Creating a new SSL key for mccune.local
Info: Creating a new SSL certificate request for mccune.local
Info: Certificate Request fingerprint (SHA256):
A8:77:22:5A:D0:C8:89:69:8E:3B:38:7A:0B:43:E3:D7:AA:E8:7F:73:F3:DC:E6:E2:0C:E1:BA:23:41:ED:4B:CF
mccune.local has a waiting certificate request
Signed certificate request for mccune.local
Removing file Puppet::SSL::CertificateRequest mccune.local at
'/Users/jeff/.puppet/ssl/ca/requests/mccune.local.pem'
Removing file Puppet::SSL::CertificateRequest mccune.local at
'/Users/jeff/.puppet/ssl/certificate_requests/mccune.local.pem'
Starting Puppet master version 3.0.0
</pre>
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
